lumma | cada589a1b8763787f2627812a48a9aa6fde564f63ef17de71927af34cf96c2d

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08-03-2024 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cada589a1b8763787f2627812a48a9aa6fde564f63ef17de71927af34cf96c2d.exe
Size

1.4MB
MD5

3e62b1ff32a4ada59b3dc95b0257bc24
SHA1

692135b1aa72282b6fd405fe4b8cd90ef2532f94
SHA256

cada589a1b8763787f2627812a48a9aa6fde564f63ef17de71927af34cf96c2d
SHA512

bc6428056204a6ffc5632b07614b48fad4cdf66fc769303757e8a466c722d3bb5e808f58ba82c5541f490b032454f82d0ba802851ed69a1a6f0cf7547bbf351f
SSDEEP

24576:yyW03Kg4GLQvrveaIsXxYGmy1DMWKnc4TJyfsd76yfNARB9kSgrit/lK:ZWDgL+Dehq6GnIJTkfsh6yfNAf0iRl

Score

10^/10

lumma mystic redline smokeloader taiga backdoor paypal infostealer persistence phishing stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2022

http://5.42.92.190/fks/index.php

rc4.i32

Extracted

Family

redline

Botnet

taiga

5.42.92.51:19057

Signatures

Detect Lumma Stealer payload V4 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/6252-688-0x0000000000400000-0x0000000000488000-memory.dmp	family_lumma_v4
behavioral1/memory/6252-691-0x0000000000400000-0x0000000000488000-memory.dmp	family_lumma_v4
behavioral1/memory/6252-692-0x0000000000400000-0x0000000000488000-memory.dmp	family_lumma_v4
behavioral1/memory/6252-694-0x0000000000400000-0x0000000000488000-memory.dmp	family_lumma_v4

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/6520-154-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6520-156-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6520-155-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family
behavioral1/memory/6520-158-0x0000000000400000-0x0000000000433000-memory.dmp	mystic_family

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/6848-355-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Executes dropped EXE 8 IoCs

Processes:

gy8JA04.exeGy2Fw50.exeHf0qQ44.exe1Nv96Vs4.exe2Qq4249.exe7SF89fA.exe8Mt561eS.exe9XX1gK3.exe

pid process

3596 gy8JA04.exe
4724 Gy2Fw50.exe
3964 Hf0qQ44.exe
2736 1Nv96Vs4.exe
6184 2Qq4249.exe
6608 7SF89fA.exe
6728 8Mt561eS.exe
6240 9XX1gK3.exe

pid	process
3596	gy8JA04.exe
4724	Gy2Fw50.exe
3964	Hf0qQ44.exe
2736	1Nv96Vs4.exe
6184	2Qq4249.exe
6608	7SF89fA.exe
6728	8Mt561eS.exe
6240	9XX1gK3.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Gy2Fw50.exeHf0qQ44.execada589a1b8763787f2627812a48a9aa6fde564f63ef17de71927af34cf96c2d.exegy8JA04.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Gy2Fw50.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Hf0qQ44.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cada589a1b8763787f2627812a48a9aa6fde564f63ef17de71927af34cf96c2d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	gy8JA04.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Nv96Vs4.exe	autoit_exe

Detected potential entity reuse from brand paypal.
phishing paypal

Suspicious use of SetThreadContext 3 IoCs

Processes:

2Qq4249.exe8Mt561eS.exe9XX1gK3.exe

description	pid	process	target process
PID 6184 set thread context of 6520	6184	2Qq4249.exe	msedge.exe
PID 6728 set thread context of 6848	6728	8Mt561eS.exe	AppLaunch.exe
PID 6240 set thread context of 6252	6240	9XX1gK3.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

6704 6520 WerFault.exe AppLaunch.exe

pid	pid_target	process	target process
6704	6520	WerFault.exe	AppLaunch.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

7SF89fA.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7SF89fA.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7SF89fA.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	7SF89fA.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exe7SF89fA.exeidentity_helper.exe

pid	process
4956	msedge.exe
4956	msedge.exe
2624	msedge.exe
2624	msedge.exe
924	msedge.exe
924	msedge.exe
5332	msedge.exe
5332	msedge.exe
5688	msedge.exe
5688	msedge.exe
6608	7SF89fA.exe
6608	7SF89fA.exe
4484	identity_helper.exe
4484	identity_helper.exe
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404
3404

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

7SF89fA.exe

pid process

6608 7SF89fA.exe

pid	process
6608	7SF89fA.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

Processes:

msedge.exe

pid	process
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3404
Token: SeCreatePagefilePrivilege	3404
Token: SeShutdownPrivilege	3404
Token: SeCreatePagefilePrivilege	3404

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

1Nv96Vs4.exemsedge.exe

pid	process
2736	1Nv96Vs4.exe
2736	1Nv96Vs4.exe
2736	1Nv96Vs4.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
2736	1Nv96Vs4.exe
2736	1Nv96Vs4.exe
2736	1Nv96Vs4.exe

Suspicious use of SendNotifyMessage 30 IoCs

Processes:

1Nv96Vs4.exemsedge.exe

pid	process
2736	1Nv96Vs4.exe
2736	1Nv96Vs4.exe
2736	1Nv96Vs4.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
924	msedge.exe
2736	1Nv96Vs4.exe
2736	1Nv96Vs4.exe
2736	1Nv96Vs4.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cada589a1b8763787f2627812a48a9aa6fde564f63ef17de71927af34cf96c2d.exegy8JA04.exeGy2Fw50.exeHf0qQ44.exe1Nv96Vs4.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 2256 wrote to memory of 3596	2256	cada589a1b8763787f2627812a48a9aa6fde564f63ef17de71927af34cf96c2d.exe	gy8JA04.exe
PID 2256 wrote to memory of 3596	2256	cada589a1b8763787f2627812a48a9aa6fde564f63ef17de71927af34cf96c2d.exe	gy8JA04.exe
PID 2256 wrote to memory of 3596	2256	cada589a1b8763787f2627812a48a9aa6fde564f63ef17de71927af34cf96c2d.exe	gy8JA04.exe
PID 3596 wrote to memory of 4724	3596	gy8JA04.exe	Gy2Fw50.exe
PID 3596 wrote to memory of 4724	3596	gy8JA04.exe	Gy2Fw50.exe
PID 3596 wrote to memory of 4724	3596	gy8JA04.exe	Gy2Fw50.exe
PID 4724 wrote to memory of 3964	4724	Gy2Fw50.exe	Hf0qQ44.exe
PID 4724 wrote to memory of 3964	4724	Gy2Fw50.exe	Hf0qQ44.exe
PID 4724 wrote to memory of 3964	4724	Gy2Fw50.exe	Hf0qQ44.exe
PID 3964 wrote to memory of 2736	3964	Hf0qQ44.exe	1Nv96Vs4.exe
PID 3964 wrote to memory of 2736	3964	Hf0qQ44.exe	1Nv96Vs4.exe
PID 3964 wrote to memory of 2736	3964	Hf0qQ44.exe	1Nv96Vs4.exe
PID 2736 wrote to memory of 544	2736	1Nv96Vs4.exe	msedge.exe
PID 2736 wrote to memory of 544	2736	1Nv96Vs4.exe	msedge.exe
PID 2736 wrote to memory of 924	2736	1Nv96Vs4.exe	msedge.exe
PID 2736 wrote to memory of 924	2736	1Nv96Vs4.exe	msedge.exe
PID 544 wrote to memory of 3772	544	msedge.exe	msedge.exe
PID 544 wrote to memory of 3772	544	msedge.exe	msedge.exe
PID 924 wrote to memory of 3232	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 3232	924	msedge.exe	msedge.exe
PID 2736 wrote to memory of 1856	2736	1Nv96Vs4.exe	msedge.exe
PID 2736 wrote to memory of 1856	2736	1Nv96Vs4.exe	msedge.exe
PID 1856 wrote to memory of 3220	1856	msedge.exe	msedge.exe
PID 1856 wrote to memory of 3220	1856	msedge.exe	msedge.exe
PID 2736 wrote to memory of 4944	2736	1Nv96Vs4.exe	msedge.exe
PID 2736 wrote to memory of 4944	2736	1Nv96Vs4.exe	msedge.exe
PID 4944 wrote to memory of 512	4944	msedge.exe	msedge.exe
PID 4944 wrote to memory of 512	4944	msedge.exe	msedge.exe
PID 2736 wrote to memory of 1572	2736	1Nv96Vs4.exe	msedge.exe
PID 2736 wrote to memory of 1572	2736	1Nv96Vs4.exe	msedge.exe
PID 1572 wrote to memory of 1812	1572	msedge.exe	msedge.exe
PID 1572 wrote to memory of 1812	1572	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe
PID 924 wrote to memory of 4420	924	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\cada589a1b8763787f2627812a48a9aa6fde564f63ef17de71927af34cf96c2d.exe
"C:\Users\Admin\AppData\Local\Temp\cada589a1b8763787f2627812a48a9aa6fde564f63ef17de71927af34cf96c2d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2256

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gy8JA04.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gy8JA04.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3596

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gy2Fw50.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gy2Fw50.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4724

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hf0qQ44.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hf0qQ44.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3964

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Nv96Vs4.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Nv96Vs4.exe
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
6⤵
- Suspicious use of WriteProcessMemory
PID:544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x180,0x184,0x188,0x15c,0x18c,0x7fffd87e46f8,0x7fffd87e4708,0x7fffd87e4718
7⤵
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1648,3844894832586452268,17233186785343348196,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1948 /prefetch:2
7⤵
PID:1172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1648,3844894832586452268,17233186785343348196,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
6⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fffd87e46f8,0x7fffd87e4708,0x7fffd87e4718
7⤵
PID:3232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
7⤵
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
7⤵
PID:3152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
7⤵
PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
7⤵
PID:4792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
7⤵
PID:2204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
7⤵
PID:5288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
7⤵
PID:5372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4404 /prefetch:1
7⤵
PID:5752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
7⤵
PID:5888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
7⤵
PID:5996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
7⤵
PID:5192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
7⤵
PID:5308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
7⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
7⤵
PID:6264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
7⤵
PID:6308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
7⤵
PID:6616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7256 /prefetch:1
7⤵
PID:6960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7308 /prefetch:1
7⤵
PID:6956

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3888 /prefetch:8
7⤵
PID:6692

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3888 /prefetch:8
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7712 /prefetch:1
7⤵
PID:6520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7704 /prefetch:1
7⤵
PID:6920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1
7⤵
PID:1688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8744 /prefetch:8
7⤵
PID:3440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
7⤵
PID:6184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,14787068602154733297,9751473755569918990,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 /prefetch:2
7⤵
PID:5244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
6⤵
- Suspicious use of WriteProcessMemory
PID:1856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffd87e46f8,0x7fffd87e4708,0x7fffd87e4718
7⤵
PID:3220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,17109361879180224911,13537937586016072235,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:5332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
6⤵
- Suspicious use of WriteProcessMemory
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x180,0x184,0x188,0x15c,0x18c,0x7fffd87e46f8,0x7fffd87e4708,0x7fffd87e4718
7⤵
PID:512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,13634417024100360337,17410411925624117397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:5688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
6⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffd87e46f8,0x7fffd87e4708,0x7fffd87e4718
7⤵
PID:1812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
6⤵
PID:2860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x178,0x17c,0x180,0x154,0x184,0x7fffd87e46f8,0x7fffd87e4708,0x7fffd87e4718
7⤵
PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
6⤵
PID:5348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffd87e46f8,0x7fffd87e4708,0x7fffd87e4718
7⤵
PID:5552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
6⤵
PID:6048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fffd87e46f8,0x7fffd87e4708,0x7fffd87e4718
7⤵
PID:6084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
6⤵
PID:700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffd87e46f8,0x7fffd87e4708,0x7fffd87e4718
7⤵
PID:5920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
6⤵
PID:5780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fffd87e46f8,0x7fffd87e4708,0x7fffd87e4718
7⤵
PID:5176

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Qq4249.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Qq4249.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6184

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:6520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6520 -s 548
7⤵
- Program crash
PID:6704

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7SF89fA.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7SF89fA.exe
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:6608

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8Mt561eS.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8Mt561eS.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6728

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:6848

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9XX1gK3.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9XX1gK3.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6240

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
PID:6252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6520 -ip 6520
1⤵
PID:6660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4500

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2b75562e-b6ed-4be2-beba-9b2b29590257.tmp
Filesize
11KB

MD5
eba7f3ca929bb2abc66eda6fa5723b51

SHA1
7b638a7d9e92de76170639974b555d251e4cdabb

SHA256
065a6645034417ec26c4d453174a53bef57e15f0e6db52b655b78deb8d576694

SHA512
8c12e6f58dd37873a1cc56ed72e456ffe50a72c514b184383ccb0e19692d78e0dde7aaf02fa773f188099087deac04a07eb7f52cd95e1312591e13226ecfd33e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e1b45169ebca0dceadb0f45697799d62

SHA1
803604277318898e6f5c6fb92270ca83b5609cd5

SHA256
4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60

SHA512
357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9ffb5f81e8eccd0963c46cbfea1abc20

SHA1
a02a610afd3543de215565bc488a4343bb5c1a59

SHA256
3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc

SHA512
2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
Filesize
33KB

MD5
c15d33a9508923be839d315a999ab9c7

SHA1
d17f6e786a1464e13d4ec8e842f4eb121b103842

SHA256
65c99d3b9f1a1b905046e30d00a97f2d4d605e565c32917e7a89a35926e04b98

SHA512
959490e7ae26d4821170482d302e8772dd641ffbbe08cfee47f3aa2d7b1126dccd6dec5f1448ca71a4a8602981966ef8790ae0077429857367a33718b5097d06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020
Filesize
34KB

MD5
5509dc34b3c84cdc1ab397f8e612c6d9

SHA1
1c936e101ab6f20319ee28750b4055de4ccf0252

SHA256
ea64223a135162ccf1eceefeb837ad92ec6b1e4fa39ef5a3d7e1f681242ed5e0

SHA512
2c43a5abeb94e05e778941920d260532795bd393abc98f4de1ca1850a96ec4b9fbb6883e36ac5a77193f2badcb25b2860e094ed9fe5797640253bc17f91eccfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021
Filesize
217KB

MD5
3f59398859b1045dba6593636c0a9db7

SHA1
b263d59ba8e6cd81de5e24d54ffd04a15fc321b9

SHA256
e83a65265518a271827a8abf7983183517b6fa7fb52d993d1231bee8e62ef183

SHA512
2bfee5f5bba88d2ae08128a324bf8c54cf39592a7fa7b8e054856ce38eaa9e90eca9e29a6fea69c992c1f49a39630d0eaec5f94239d6a47ddbc1fcbfc54508ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032
Filesize
194KB

MD5
f5b4137b040ec6bd884feee514f7c176

SHA1
7897677377a9ced759be35a66fdee34b391ab0ff

SHA256
845aa24ba38524f33f097b0d9bae7d9112b01fa35c443be5ec1f7b0da23513e6

SHA512
813b764a5650e4e3d1574172dd5d6a26f72c0ba5c8af7b0d676c62bc1b245e4563952bf33663bffc02089127b76a67f9977b0a8f18eaef22d9b4aa3abaaa7c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
5KB

MD5
b26e748a46b4f8ff056ac8115710b174

SHA1
d42ec1c32f9584c024c620263b6df3d3632e0a3f

SHA256
49b0f32799ebcd26b51ddeb4a305e19fa3ea059a2f3197436d1d849577c10deb

SHA512
fbaa41f96119be274078cd4a224a20fcf423eaa10e7b8a2e86e0a4d1472525725ec480365b9d615f8c7eaffe98758a7e68afd4764ee510eb8f1a5fe53202066f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
76cbe9960986ce82b2b0c0ace86088f2

SHA1
dee53cf4a72d5104605f67c1ebf200323cbcdf19

SHA256
f12bd26d8644343b7a9301c5cb17444d815bab3f307c07a95e227c53b5ef8994

SHA512
389b93b703fc781e64d8124b5523764b216fc07825eaca2772cd8b6bc6f719d9979f5c8478b52631bde36eb0f2757b6bf6f7606d381e966320019cca8b4e66f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
a9dba86996b8c0cf0daccd979d355496

SHA1
6566e875626f5d4b2702efd32f1489512470098b

SHA256
a8950321d3f641ea6d7c682a5c9012205eb47b98aed20fe2002cc3530d4d5ba3

SHA512
9750affe9475754d5e9eb2b8137a181dc498cf15ec095a4664c2a7a9548161adb77c3c915a536b87a637a04710e39144edefe37b38e9c6b98a4b929328f48af8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
fb4b636b2ab47d79889fd40641fdc21e

SHA1
eabdeb66c883f248fb5ff32c5b228eec353177d0

SHA256
a20a4c040ae2523604be95dd05e715865ff9fb0c5a7a34999de692f1aa434b54

SHA512
e74ed7a9dd28605440a0bdab29d8ee96baaed2c0f6eeeb89c164ce0b1530539e81ea580328483610e0f537b04419870c165d8617f236b401f578dc1bd1ddf131

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
668f060e400048cf6db455bd9e8fa6ce

SHA1
8f0c2128d80e52c488a94592767bd0529e31b0b1

SHA256
51f466c7911e0fa4bff22a97a55651f00b9d5ce0b31f380e691395e41bda3f64

SHA512
9c2ed06728f4ab8d96fc82a40bb5be517cbee7a40968fe94934b646d74dfccaf67786086aa50b98bc652f396aa28f26125ec71cd12181b93cc586898f51a693a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
9cb5052011f5ac60342043310f147363

SHA1
d2706eeac6128431cfe7d264f6f2ef990efe471c

SHA256
1ee5376aade7b65579403526bcd3f67915abf908105328af925733688111eee3

SHA512
4c308c6efc67e383057d19f4e2f0c41afe005edcabad556a303eeeb1d36412f39d7c08cff2fca3dd13522661e40b6fceac7bb768fc7069116874b8cb0474b870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
59c0fd608440e6f3a091004db9d56cf6

SHA1
1a0f67fa89d165424ad5a65c7194b5aead8e5c4c

SHA256
935c484426b32b19514dcc03b02cde7aa28f856899f0952d1798d1b79b7a5364

SHA512
9e9e98a8c9fb20f21756106a4a9f547cc1d2df9f94be1cd9e286228c5ba6dc4bb19f184bf474440d2303ac74f2167b92f8cf0a821f5895fe5e7d4f136c1886e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
89B

MD5
dce4a6e99ea9bf1a37db968eaee8ae05

SHA1
53c0484c017ec2c1b72ff38022274a3afe84b452

SHA256
94570b753ebfff164746ba348576ee63e5322af028b92bbd099f895d55fc4216

SHA512
c28ccb4070427d233ff486481eaa55b401eb7a7770b377430a7227cd28a193128e18dd88042e479790c9270cb792291486c0323923b171d77d34298637ede66f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
146B

MD5
cb8d039f052c5583c11651d14bc82f09

SHA1
62c7a8ab55e96e53cf24186c23e6164be4cc98b8

SHA256
2010273f353ea57a6cdb0d3b751fd2825b32dde4b22acd70e55524575c204f94

SHA512
b96f13fd46c5582a80bbcf994f90535094f8bddd09fddfb2d9d987d8a08bb72902212d5d8414e108c37c0715709936d8c86f3e797859e3555daa551226fcce12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
242d7a3cf9867e554b9d383983a55d53

SHA1
83128d9f924deb377a9f49a5dec022075ebb0d44

SHA256
2e28ddeed67921746574d6721aa5c58c4872ac6ef871c67cf4d4ec55c171fbcd

SHA512
bc6e3d3428975404997dd1412480f4006e2841d48fa04ae92c5eb0d6416112cad92fe37b1c8c33a19c9b8a39f042b07271e7ca0ed1e082537402fbef5093e3f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
9c31ebb24714d25243eb45929be66360

SHA1
0b03601da19991559f9011c765e6362173e69f69

SHA256
a0141bcee28f72b0a061ccda8a9210290fdf77d813486fa343a958751a9e73c0

SHA512
7d376e9e15c46f4b11a8425c9e6f519fd6919c47e8dccddb02941fbca0d1a8d2f2f61dd11daa8cc5113c1c04819a00aa0ebd63cf4143062003a2470278a37c50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f879.TMP
Filesize
48B

MD5
14e0b36df8df05f3c5867a55e2a71773

SHA1
c135b891dd04caa238efb3ca2ff849d56539323f

SHA256
2df507a07d054f539b5983a70ca8158aff98effa68f2aa1a7c2b1011f1532526

SHA512
4d231033a3ceaef3d4e4daa1e55e624783e9c1dafde3a8268b4ed810067111b4ff2658209aa5b20e52ffbf6c643b3899fed838e853b503ab3ad914642e5a55a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
a8f6f4b849e6f3cb758b3c324d3f082a

SHA1
0c3a15f895918fc3b6d9c91f7c83c563965c7bac

SHA256
69d675281c24f6f18d74b50cc6de1aba012f1f144518e9da0cd5391819f9602c

SHA512
6d83c62226be784b1eaff044df7b4023c44fe78ae27b060020c8b05ca0970830f3161fac6a1187e7abe97672dd768adf9cb068609fb0cb482109db780e00281d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
3KB

MD5
cd6c0bbcabb4c0178d1969716f2a5c16

SHA1
18c4aca6c58a125ae5536c0da881f5cad37c2122

SHA256
7003986ea9b5a285f76db345ae24aa7a8592c5c034e7ac36f0c96e560a1443a3

SHA512
5e72bb49f8fa2292c94381746c232eb0a60c5095f534ebce02fc97c4b3f2f20313c1842324cc863b1adf9d41b020654a8ccd8a83d6bdf887d934b5777df8c34f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
52925e1f9fd9ba11a190bd124fdf52ff

SHA1
3171762f18cde0dd34b070091d7b86e6d7ddb2b9

SHA256
832e407c53277586d9ac449b4b8a468abfb33a911041b2e94ab7ba8a80754b19

SHA512
09d8f985938a81a0ef38c3d2b9ba980eab2da736babe89a81fc6b08f459d37ee43a1d374c38fe545f383845528bf0fd801a5030fe7ddc8c8441c7657e6bb317c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
df3b9f08717a36ac7d522c83cc7ebc16

SHA1
e1aae0b0110a059c067ab166c6ab4423ede2ffb4

SHA256
89c964caae2031466ef8be830d312c7dca58d63b17a95fdb88d52dc2c6f46635

SHA512
c051b5e186af7d9a788ae81a197ace1affe3f82769f318df237c8fbeeabdfa51c3b7d934984880619b9125b58b1652b7d178476c800f9d70d256776869cc2408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a3e1.TMP
Filesize
1KB

MD5
ffd99ccd038a1f03277c67d8c43350fc

SHA1
81b098c419ff4827465f3581f25c134873924a94

SHA256
ea322b54c210d7eda53a98fd80bd6f8335bd98139b375933539d96f80b8d2d6a

SHA512
30c2c93411c3d85ff9ed81e9ec06f3871d5a1aec32089eddf970649d300088bdfad2098fa7511d074d67c644c419b5f7964398d6820117f6a757882080677fc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
eb952cd771a057ab62a4e9d8c40f74b0

SHA1
20582add5907e7a7e277f00be63de1bde2744df5

SHA256
70b0c3d4e589f1723e356e3c7dfc8dbfa04b5f27eb77881784f14cc3fb437fed

SHA512
6aaf4c8a6f15f86ff724dacd4e50f251da08d9c890c8d90739cdab4e4e0c2ac805530e859e3228bc8fb273c13bd456b64c730e0fd77cf81f817d31f68e90fe7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
9c2f0e85892123a9d7aa8d4e7f190cad

SHA1
ae537dbb8615b9978049ebdb8e4210fbac46cc09

SHA256
93311907647899ae1791d4249bb6246ff8ceb5c71cbc6139a5e72aebe66aaae4

SHA512
8d2505eb6c7da8404c0465592bea503cfc5b3ad9cbd8a19ef8217e796bd59404cf85588a572e9ba7aed563bce1b54c6bddc4d18f17f5f25c81ea240495e4adf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
8ce9282b557d13a99aaf4df945f5b496

SHA1
85aed8e498030b450f1a2c804633f96eaabb945c

SHA256
c35faf268be1d5a85244773cef7a0202a2c11aaad32bd40573790ae872b09004

SHA512
6331bc52a66355439d19a3a8d6884be18b5cd5524089470341ecce2a73cda3d2fb96d927215c5f595abc6e7e4658caa59fadd6204e5ee4f061e970fa112b471e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\9XX1gK3.exe
Filesize
659KB

MD5
cfa3da6c69ff6f176c2c3d08072db258

SHA1
7e7884daa427e39591e1e18a3500232e2866f551

SHA256
09967c60e38b7de30828f102018afe51228269ed5ec114af959e309a28096acd

SHA512
04122e7892efd262d90c047c7cfcaba6128a4b0de1958505a4ee230a190b38c8e26e940333ed9daa4aaa99a4758d55b7e4357b914bd3a959b84f4870a829a0c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gy8JA04.exe
Filesize
1002KB

MD5
cc166916f8b7f463903e015ca142883b

SHA1
a0f21921a7ffb591520589d4ff7139fcc64453ef

SHA256
7574d1798e36f704cbe6b2c482dfce65027b64c00f23853dd1cdf25b414dbe8e

SHA512
431c550424b85b61d95f7cd84178f0f680f854510f9b165d00aecc09279a1a07ec8f44e53aeaa00397281a6e4826c8989ea53cec78c62552045185ed190e6bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\8Mt561eS.exe
Filesize
315KB

MD5
a0017b16b7312b37f113015a1d78f623

SHA1
64154d53aa87991ac41f2924c8963876671079fe

SHA256
57ef1e5e225c7614bbac1f4c21da44457f138a7c6de5279a7e83698e2b862047

SHA512
0002a7d39cf220eee6f7f68668fa3406ff2024a160be062784ebfb8b1a8385d3986f0b2b46bd401073db939c2b1c2264976237d19c4c9ea1131791cdd336321e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Gy2Fw50.exe
Filesize
781KB

MD5
f1eb4e40be1c7d1b69393c257b9e408a

SHA1
99075736872ac270f801d800eb3919b060104cc6

SHA256
fcfc205d621de722716b62ead048430597454983c413f802f3db72ac03257418

SHA512
c989aa34e3812752ba3b2256d85a4dc0730ebab8f7232c6d7ba805e4474dad73cf39037235272d62ad3627d26fa0663c8c3e59a988308e058e4b3093c9564e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\7SF89fA.exe
Filesize
37KB

MD5
b938034561ab089d7047093d46deea8f

SHA1
d778c32cc46be09b107fa47cf3505ba5b748853d

SHA256
260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161

SHA512
4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hf0qQ44.exe
Filesize
656KB

MD5
8af979f4573f3f5dc9fc460d90ce3b0f

SHA1
b362c93863fdc55bb1ecc0fdafcbc8c92999a674

SHA256
71c9602ae68f853f3c851ecbf28b9f6a746561cffe0b8ff803ecfd96b179a6a2

SHA512
e77d2b11f3ec4a65b8beffb1f77487308712ff2ad0705f64451f5613b965fd15f0a68effac951188808f2a509b14b65611b068c57d11b9f1e3ef65b0c03cba83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Nv96Vs4.exe
Filesize
895KB

MD5
8e27fa2892beea600f59bce31a8f0ae9

SHA1
23a6e41e19bf0ae51c6f26d6ce22b203958c39a8

SHA256
120fba9e3a1b2ba57f9ddbee328f64eeae4d4b31e61e2f3d32030e5dd85363c8

SHA512
7694c7e784b91ee520ab2e946dec9f0e052fd74ec6545e28fa103b9b4af76cb07e17c53ffc04927c21b58237ac5ff50eae6dfe2d8581368ae699159ddb37173c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2Qq4249.exe
Filesize
276KB

MD5
3542d295207e24d8ae6adc913357949e

SHA1
00db420d4185651d933d04b9af678a9bff94b450

SHA256
cc39749b12225105eb4e90802a5496eca9579d01445037832074e8961e30a26b

SHA512
de8c1a8371c775841ca9469c8838fc2f27ef65758c0a2f9f8a9e0d427242578dac912298eab2d884becbbcf0d88fc6c2566cbb0c1e693d87aa206756462a66ff

Download Submit
\??\pipe\LOCAL\crashpad_924_YAXBJHOFKHLFCWLU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3404-342-0x0000000000C60000-0x0000000000C76000-memory.dmp

Filesize
88KB

Download
memory/6252-688-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/6252-691-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/6252-692-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/6252-694-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/6520-155-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6520-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6520-156-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6520-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/6608-343-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/6608-161-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/6848-363-0x0000000007A60000-0x0000000007AF2000-memory.dmp

Filesize
584KB

Download
memory/6848-364-0x0000000007B90000-0x0000000007BA0000-memory.dmp

Filesize
64KB

Download
memory/6848-800-0x0000000073BF0000-0x00000000743A0000-memory.dmp

Filesize
7.7MB

Download
memory/6848-377-0x0000000008500000-0x000000000854C000-memory.dmp

Filesize
304KB

Download
memory/6848-813-0x0000000007B90000-0x0000000007BA0000-memory.dmp

Filesize
64KB

Download
memory/6848-362-0x0000000007F50000-0x00000000084F4000-memory.dmp

Filesize
5.6MB

Download
memory/6848-361-0x0000000073BF0000-0x00000000743A0000-memory.dmp

Filesize
7.7MB

Download
memory/6848-355-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/6848-365-0x0000000007B60000-0x0000000007B6A000-memory.dmp

Filesize
40KB

Download
memory/6848-367-0x0000000008B20000-0x0000000009138000-memory.dmp

Filesize
6.1MB

Download
memory/6848-368-0x0000000007E10000-0x0000000007F1A000-memory.dmp

Filesize
1.0MB

Download
memory/6848-369-0x0000000007D40000-0x0000000007D52000-memory.dmp

Filesize
72KB

Download
memory/6848-376-0x0000000007DA0000-0x0000000007DDC000-memory.dmp

Filesize
240KB

Download