quasar | abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6

Analysis

max time kernel
297s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Uni.exe
Size

409KB
MD5

4c2bb0618a6eda615c8001d5a7ccd6c0
SHA1

c88d2c8bfc5906a5cfef78893d1132edcffd71f0
SHA256

abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6
SHA512

6abe53339656a023e2a0547f1c2249789c33091d67a21f2e689c6411dc5357e34ec3c65634b6f6955a5023d20803f7c746b13f574bcd84b008abb4a97ea61027
SSDEEP

12288:rpg6M1i1v6q1ak/e7xlX7nnvGAwhJLJO:lxqiii6xlLvGjhO

Score

10^/10

quasar seroxen spyware trojan

Malware Config

Extracted

Family

quasar

Version

3.1.5

Botnet

SeroXen

tue-jake.gl.at.ply.gg:29058

Mutex

$Sxr-xPAuDxLNyBmZ7S2WLJ

Attributes

encryption_key
Pw78RUs175dFrKD7lMwH
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
SeroXen
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/376-1-0x0000000000890000-0x00000000008FC000-memory.dmp	family_quasar
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe	family_quasar

Executes dropped EXE 2 IoCs

Processes:

Client.exeUDSGmbRKJ52C.exe

pid process

3932 Client.exe
3376 UDSGmbRKJ52C.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5068 3376 WerFault.exe UDSGmbRKJ52C.exe

flow	ioc
11	ip-api.com

pid	pid_target	process	target process
5068	3376	WerFault.exe	UDSGmbRKJ52C.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeSCHTASKS.exe

pid process

2700 schtasks.exe
1172 schtasks.exe
3988 SCHTASKS.exe

pid	process
2700	schtasks.exe
1172	schtasks.exe
3988	SCHTASKS.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133603470283378211"	msedge.exe

Modifies registry class 3 IoCs

Processes:

msedge.exeOpenWith.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{68C64451-9F4E-4A23-9475-0BF6A5FD3761}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 18 IoCs

Processes:

msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 522387.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 153840.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 153045.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\Downloads\Unconfirmed 561761.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 561761.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 541868.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\Downloads\Unconfirmed 774147.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\Downloads\Unconfirmed 414160.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 414160.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 301627.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 21206.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\Downloads\Unconfirmed 153840.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\Downloads\Unconfirmed 522387.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\Downloads\Unconfirmed 301627.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\Downloads\Unconfirmed 153045.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\Downloads\Unconfirmed 541868.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\Downloads\Unconfirmed 21206.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 774147.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

msedge.exeAcroRd32.exemsedge.exe

pid	process
4532	msedge.exe
4532	msedge.exe
1048	AcroRd32.exe
1048	AcroRd32.exe
1048	AcroRd32.exe
1048	AcroRd32.exe
1048	AcroRd32.exe
1048	AcroRd32.exe
1048	AcroRd32.exe
1048	AcroRd32.exe
1048	AcroRd32.exe
1048	AcroRd32.exe
1048	AcroRd32.exe
1048	AcroRd32.exe
1048	AcroRd32.exe
1048	AcroRd32.exe
1048	AcroRd32.exe
1048	AcroRd32.exe
1048	AcroRd32.exe
1048	AcroRd32.exe
1048	AcroRd32.exe
1048	AcroRd32.exe
2896	msedge.exe
2896	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exe

pid	process
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Uni.exeClient.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	376	Uni.exe
Token: SeDebugPrivilege	3932	Client.exe
Token: 33	1796	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1796	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

UDSGmbRKJ52C.exemsedge.exe

pid	process
3376	UDSGmbRKJ52C.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe

Suspicious use of SendNotifyMessage 33 IoCs

Processes:

msedge.exe

pid	process
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

Client.exeUDSGmbRKJ52C.exeOpenWith.exeOpenWith.exeAcroRd32.exe

pid	process
3932	Client.exe
3376	UDSGmbRKJ52C.exe
5244	OpenWith.exe
5648	OpenWith.exe
1048	AcroRd32.exe
1048	AcroRd32.exe
1048	AcroRd32.exe
1048	AcroRd32.exe
1048	AcroRd32.exe
1048	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Uni.exeClient.exemsedge.exe

description	pid	process	target process
PID 376 wrote to memory of 1172	376	Uni.exe	schtasks.exe
PID 376 wrote to memory of 1172	376	Uni.exe	schtasks.exe
PID 376 wrote to memory of 1172	376	Uni.exe	schtasks.exe
PID 376 wrote to memory of 3932	376	Uni.exe	Client.exe
PID 376 wrote to memory of 3932	376	Uni.exe	Client.exe
PID 376 wrote to memory of 3932	376	Uni.exe	Client.exe
PID 376 wrote to memory of 3988	376	Uni.exe	SCHTASKS.exe
PID 376 wrote to memory of 3988	376	Uni.exe	SCHTASKS.exe
PID 376 wrote to memory of 3988	376	Uni.exe	SCHTASKS.exe
PID 3932 wrote to memory of 2700	3932	Client.exe	schtasks.exe
PID 3932 wrote to memory of 2700	3932	Client.exe	schtasks.exe
PID 3932 wrote to memory of 2700	3932	Client.exe	schtasks.exe
PID 3932 wrote to memory of 2528	3932	Client.exe	msedge.exe
PID 3932 wrote to memory of 2528	3932	Client.exe	msedge.exe
PID 4532 wrote to memory of 2412	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2412	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe
PID 4532 wrote to memory of 2756	4532	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\Uni.exe
"C:\Users\Admin\AppData\Local\Temp\Uni.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Uni.exe" /rl HIGHEST /f
2⤵
- Creates scheduled task(s)
PID:1172

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3932

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "SeroXen" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:2700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://jasonswain.co.uk/
3⤵
PID:2528

C:\Users\Admin\AppData\Local\Temp\UDSGmbRKJ52C.exe
"C:\Users\Admin\AppData\Local\Temp\UDSGmbRKJ52C.exe"
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 1920
4⤵
- Program crash
PID:5068

C:\Windows\SysWOW64\SCHTASKS.exe
"SCHTASKS.exe" /create /tn "$77Uni.exe" /tr "'C:\Users\Admin\AppData\Local\Temp\Uni.exe'" /sc onlogon /rl HIGHEST
2⤵
- Creates scheduled task(s)
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3416,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4088 /prefetch:8
1⤵
PID:4204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4888,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=5008 /prefetch:1
1⤵
PID:324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4992,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=5164 /prefetch:1
1⤵
PID:4144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5472,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=5492 /prefetch:1
1⤵
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5632,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=5656 /prefetch:8
1⤵
PID:1488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5692,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=6008 /prefetch:1
1⤵
PID:3108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6156,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=6192 /prefetch:8
1⤵
PID:2856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=5176,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=6216 /prefetch:1
1⤵
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x27c,0x7ff8390dceb8,0x7ff8390dcec4,0x7ff8390dced0
2⤵
PID:2412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2328,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=2324 /prefetch:2
2⤵
PID:2756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1884,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=3428 /prefetch:3
2⤵
PID:3500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2348,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:8
2⤵
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4468,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=4492 /prefetch:8
2⤵
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4468,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=4492 /prefetch:8
2⤵
PID:4144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4716,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=4684 /prefetch:1
2⤵
PID:3784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=4760,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=5056 /prefetch:8
2⤵
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5032,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=5196 /prefetch:8
2⤵
PID:1192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5536,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=5476 /prefetch:1
2⤵
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5540,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=5444 /prefetch:1
2⤵
PID:4760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5600,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=5712 /prefetch:1
2⤵
PID:3384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2856,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=4832 /prefetch:8
2⤵
PID:1732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1516,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=4108 /prefetch:8
2⤵
PID:2736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4768,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=5428 /prefetch:8
2⤵
PID:5152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4688,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=4648 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4084,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=4520 /prefetch:8
2⤵
PID:4144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5976,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=4068 /prefetch:1
2⤵
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=6128,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=4316 /prefetch:1
2⤵
PID:3152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=5360,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=5088 /prefetch:8
2⤵
PID:5360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5068,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=6344 /prefetch:1
2⤵
PID:1584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7224,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=6728 /prefetch:8
2⤵
PID:5712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6680,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=7208 /prefetch:8
2⤵
PID:5864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=6752,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=7324 /prefetch:1
2⤵
PID:5560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=7232,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=7196 /prefetch:1
2⤵
PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7584,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=6396 /prefetch:8
2⤵
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7728,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=7736 /prefetch:8
2⤵
PID:3936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7884,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=7872 /prefetch:8
2⤵
PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7744,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=7920 /prefetch:8
2⤵
PID:5348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7764,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=8072 /prefetch:8
2⤵
PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7724,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=8424 /prefetch:8
2⤵
PID:684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=8348,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=6416 /prefetch:1
2⤵
PID:2936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=7352,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=7404 /prefetch:1
2⤵
PID:5588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7256,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=3040 /prefetch:8
2⤵
PID:3560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=6436,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=5072 /prefetch:1
2⤵
PID:4444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=7196,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=7460 /prefetch:1
2⤵
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7432,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=7956 /prefetch:8
2⤵
PID:5436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7944,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=8440 /prefetch:8
2⤵
PID:5840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7864,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=7816 /prefetch:8
2⤵
PID:6004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=8224,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=7840 /prefetch:8
2⤵
PID:3536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=7808,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=7796 /prefetch:8
2⤵
PID:5608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=7800,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=7540 /prefetch:1
2⤵
PID:3832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=printing.mojom.PrintCompositor --lang=en-US --service-sandbox-type=print_compositor --no-appcompat-clear --field-trial-handle=2156,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=2152 /prefetch:8
2⤵
PID:2628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=7488,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=8780 /prefetch:1
2⤵
PID:1264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=8528,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=8548 /prefetch:8
2⤵
PID:6140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7384,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=7420 /prefetch:8
2⤵
PID:1716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=6372,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=8980 /prefetch:1
2⤵
PID:1892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=8796,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=7360 /prefetch:8
2⤵
PID:3004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --field-trial-handle=8932,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=8744 /prefetch:1
2⤵
PID:5348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=9032,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=8752 /prefetch:8
2⤵
PID:3636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=printing.mojom.PrintCompositor --lang=en-US --service-sandbox-type=print_compositor --no-appcompat-clear --field-trial-handle=5676,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=8856 /prefetch:8
2⤵
PID:4080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --no-appcompat-clear --field-trial-handle=8704,i,7760268036511400520,16484342018297417159,262144 --variations-seed-version --mojo-platform-channel-handle=8708 /prefetch:3
2⤵
PID:5336

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
PID:1012

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x308 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5244

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5648

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1048

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
PID:5440

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2F9BC66B9D612E0127AEE3D6E6F486FE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2F9BC66B9D612E0127AEE3D6E6F486FE --renderer-client-id=2 --mojo-platform-channel-handle=1744 --allow-no-sandbox-job /prefetch:1
3⤵
PID:4844

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7EBF824F8791B09B91C785E87DF6E75A --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:6068

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1B3B9293B2DF5F0CB43172CD3B78E3F9 --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:4408

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=09770A54278E5BB34DC35E9B2B7E6802 --mojo-platform-channel-handle=2060 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:5348

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E7E3DD050ACA60D28B5CC9FC287CAA45 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?linkid=2132889&pc=W099
1⤵
PID:5852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?linkid=2132889&pc=W099
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:5344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3376 -ip 3376
1⤵
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
5262068d5892f9c7bc9be3490b022376

SHA1
efe0ca1fce06cd7ed7916b8be56155580f6ce0e5

SHA256
4a955e2ccbc37586fdcbf13c188c82f0f39a8ab05d07868a94d4000b1ccfd77a

SHA512
b47b887f24ab8ddceb2542fb8eb80345271932b7b94145a06872bb68068c72436d01f513b5bb66309e4168b446f13c33c68f4109f09e5b206ea1aa8db0db234b

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
4ba4470cd214eb480ad4d062043e5d2b

SHA1
6b23bd18b569eca1b8ad3c0f8819e16536858f64

SHA256
d9319f32ea47c61e25287ffee04579d8513d85659f66c8e656733d05ea1af66a

SHA512
e26da9cc616768ec864439d1891878054f18a56598beb9a7dc6e5d128c9301f44de6255a6a8a3c96708378fa9647e3650f1dfda511c274c52ee00992db0b4ee7

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents

Filesize
12KB

MD5
b91147838db9cf34388b61da0a8c8507

SHA1
4fc11fde9ba7fb7ddac1cd85133156ec85524ad4

SHA256
d4cf071a4b119d1c99b3cb868d8565fdd8641c638c26a8db639d5aed50b28cfe

SHA512
1eaaa19457cea8daf5b072c4be3da85639aecd8acab21b6bcc4e43b82413eefa0e22acf683b26363885753a1b1d96f8e392d0ecf5600a330b4e0f61aac81815f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
20cac4282abce32d9eb2a7bf2c932882

SHA1
2e8dada7f4551142f5669b63b2c824508fb23670

SHA256
c2deca0a8b4ec90c5d9fff47da718d3e43e5ccbfa01da9883dea06e8667dcf83

SHA512
59a3b81ff1c63670f57fecddbae8a9d470c86fdb7e3e6281d5f41a0833349101e030200816daa3388c4fff280d5b437c8290b0ba33de3ba4b26065a0b843997a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000018

Filesize
16.3MB

MD5
546711d64d0fe312e41bcd4cac219578

SHA1
6a04fec5ce339620c0615b1a4eb4652e8d2ea3dd

SHA256
61cbe7a2a00cadf4e8452f89102bf88f4f85e128ab092c3fd2cbb1d4c027fd4d

SHA512
c53d1a98e1e0ca1040a97b79a92a00d972df47b20c5234e648966f4b0bb531ec1ca3fb755974885e928acf99aa07c2fbd1de65fa1a45dede9d54e42be2225b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
8d71d0b04827c4151433d731a1cac232

SHA1
9607b222cda2733beb5696e2387b55831fb5ec0f

SHA256
eec3c0d690453d7d7d00a72aba0011a326868a01ce9ba68bacf9a2405fd72de9

SHA512
39ee946ce4407a019b3aaa14b4d6672beb544d80628c1e59113e72672f12d57137558b323f4d5d4cdcf2f0dd4ba7a517455322f98bd79f86357ec2b817b9e365

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
4e7a4bbdcbd7016771f9a4b6c1bdb245

SHA1
445014262aa593fb1b147d8d28f1045d8b88d3c6

SHA256
53b8b0c6d8ff151f49617fcdf06f808554bd077cd76c4dd62f8a283ce3a86044

SHA512
8b9245735462a14887fd6c1835d2bb5aa5beb8467834c078b5b73e7d5c043a3691a31b6916bc5ea70e241abae81243445e29c709d60b5e944baca82f03057a09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2eaeaf897299768412f1346b5aebb033

SHA1
9764f6ab292dd1f9945f49ae3058cece247718a7

SHA256
874b670888d993b664c4ebff760bcf3e520058d71b08bdbe683c72009b925a1d

SHA512
6247ce2913da2f15ab9d339c9dc288614105ce3a69ca9afc59b4bc4e0d6374aa537d024a07e528a1c7f3e050f074017dbb3e721f366af11458209f2a1be0119f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
18eb314edcd3a4bb734bdbf35d5d8127

SHA1
b9ee329b33ea08d1b20265131d3b33fec830e47e

SHA256
3da9b5d54589cd0235f4bbe5e49008ac404e32efe3db5410774e53a55e1be363

SHA512
cca3562ca4fd2fe0eeedf5c8cdf5ae63f6f6c657874c4c21448f4d5a2ebaca63e212818b089c010292fa9d94e27f4bf5e8865f6887281d924284a03ae8b59643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0a6c37ee8f3022bfebafe59d9234498b

SHA1
a82297778e1505d094dd1ae5f29fa1efcf6db03c

SHA256
357ae3bfd6bbfb9ae9b80d22535fc8141de2219b0f04897036de15695aaec454

SHA512
1dbeab1220fb29bd09e566042fed02145e0fcb06deb9631bc8d8e58d38ab34d3aa6159a9566711d5db716a92980ba9e0197977cea4d990eeb3300f34d428e595

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1a8f28225fc6eb953492b64e2d5eca4c

SHA1
b186012749e961600835895c18f8753d24a11661

SHA256
70ade04d8c5b2ba2a5955d54a1895456eb5f4099c622c0a25efc0b72a8c87826

SHA512
c20cd2888ad7f48277baf45b5c9442c8180c93ad543d5b7e1f336fee7b41cba656eb591cea56f86d0cedb225a19358ae35cc47201a916ef82f470c44c2377906

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4db660110744d960f20b0f062b7fa3c2

SHA1
ab3ab669c9bc0d97185c3e468804abc4d0cdfb8b

SHA256
d112461d7ba05971374a956d1efde0f49860f3b47a50c8d86935becfd752ffa4

SHA512
c968522abe0d2eaae9b81be28afbfc6b9bec41a4cd373042d31c8fb9aa7fb3b17ff40f42605cbca1d7bf6e198307b0438cc752f286bdb334b21791c492921b02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
700efe2d92db23da7086adfa404598b7

SHA1
141332f7b2729f3a606ca1951159da0028c7f04e

SHA256
0051905c44b255f4040b1c5fe1a4c0b122c86f9142235779f7c675d8378d86f7

SHA512
c9651a28ff72a5dabe780c7e43bfe81362cf3712530d8c7431525bcafb0aa16eefdd5d347d3f87ca78095474cb2b25328a67d7f2efc6bcefa80fb0088d0f98c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
c9be05f598f0f8990f34caab9fa6d6cf

SHA1
7ca0f950ed033e33ec67b3fa7663c42a522f79f7

SHA256
1192a5bcb63285009363905206ea25d16ac6107215ccf3b95102560ed58704a7

SHA512
cd3c0a3e8ae74f37eb9a89094c31552d8b5c0750b8f99eb2aac24e851b35a76ca5ca2cf3c23794e3dc74b87f1b0c269206f0b5a182ce2bc95d6f1839c3457664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
99fe076aba89a0773c2c41e7dc1cd4c2

SHA1
1b5974fda1973481d4d430c2aeef1a25077e2b31

SHA256
0c5472d666c7c4ebeb8bcee21a028e1a0cce11bd9386f2d0a074d0a7f699aa4d

SHA512
133117cdd4095f08e87f855093cd195009605b9443709718e0d8eba3e74fe794512bd4af05a4c816329fd1882a090486a4f000fb6c214022a5c7306444d59eaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
618d43e7bdeda16712d3c484ba9c598f

SHA1
71e9fcd8dff1bfac129b57f559983d7a45ee56b9

SHA256
47d250b26376659c31d116e485ce924f0763adf9cb2db5105b59952bd4b2ed88

SHA512
2e1ab4a2542fb28a4dde6ecc8bf62901e9ad013aa7f676c1adc7d2f312b4ab22b11c9dd31ff408a0f762f0c32b134a62fb02ffe3af1e93c582c37668c3bee20a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
9c11885f9f874b14bf3444c5368c8ed5

SHA1
df5c9d37d45f34d006bf9bf88a0c0f7635f6a5b1

SHA256
a49eaf92243a545b1315bb39222e72ced5503cd0e37355af2ea39f7a510bcfc6

SHA512
1e2179d8229354eecddebb5f62742a0c76f5dfd1848997eb07b302027652f4f77b28b236891687d8dd050ad7614061f173083f98fa3f22e99266571ff2b50a0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
c8624602e641db119d64d7fac8cead2c

SHA1
7c7d1300ab26c2104749f2c3a0f198495ac69171

SHA256
737fc3de3c2989307fb717d601f9894a3a4b99e9add059e5de184f6e0e871e56

SHA512
c9f03181bf4876310c84cb35e811e7c87998afaa9d24cd5e7543758094567fcd6eea1abb1e9829958e1c9d0058107da72fa66345c8f598832fcc6441924d9f8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
30KB

MD5
1a040c2219ebad0ae85603b9a37eac68

SHA1
ac99518109c7c95c42c663e82a5e1ba8fb1856c3

SHA256
c39f9613243500ec5b73a06e7c33e74559b395fa901216f88711da11a6041874

SHA512
7890919fc05c3eb4250dae6507a06d4950e89f1a2d14cff61aae1654137f44081f4580fdd121444f2e39a4cdc9212e19da58b6b314af6dfb2eb1a240898b42c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
6b2bb540c480a12f3a9bae8d6f511248

SHA1
e7f30982c736b2b09904662c60db03655ce04e85

SHA256
8165ae7a4308b5a9918288d1bb4c88ed8ca17a8a1ca10b84420bc4ef0bd78787

SHA512
682559b684d640a34c71545cc6fd87328bffd916dc71485a0c8db99b9fd2af677796a2115ced8d008375e5cbb6829aef29b74df41ce5cca5407f36e241282c17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
66KB

MD5
c6e2d881b50b5cd51dbe7ac3a05da81b

SHA1
9b02647117f0828380951be12a88499da41f9569

SHA256
98a8f1771a0e64b9b2d3c9d11b72fdc9bca795f2a28ee34dd719569ea56784b7

SHA512
a9707fb8636284665874dc16ade77328ffa19bfb306e40d295315874c631e837678d7e0bc39f84f37936f3820791854dc9dba297856196ff21a003a0194cdf7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
f8c103ceee664c2122b346fa641a5379

SHA1
4fc600ed5edaf4b143f3cdca62a071b4a7774cfd

SHA256
87899204850dedaad234c834c6dbd296ff6099deb3f318cd32705cf5653d957c

SHA512
47973a027021ae439f49fe604afd8f38de091d8df0393bdc2be5ce766e09c59f9837ea233acc60dbfbe506b6cf6d337c0bb2ce0e45f1ff8ebb463950d217135b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
66KB

MD5
2cc1d3ca15a0c5a46823c90640aa3330

SHA1
70518618cbe45ba9a5230a5370aadd350c4c2997

SHA256
4cdbaf9c18060c79611675a6a57d2cac0b3eb7aacc9ee0e477488660e6a8bc78

SHA512
4a4ed69b7ea2f9cca2f5377768f8c8cb65be88462e5a452b299f3a5d7083ad352d1e36d1543a8d84e814b8bad2c08fad1be592a82efbb2dcfd4a9498f75d6d2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\uriCache

Filesize
9B

MD5
b6f7a6b03164d4bf8e3531a5cf721d30

SHA1
a2134120d4712c7c629cdceef9de6d6e48ca13fa

SHA256
3d6f3f8f1456d7ce78dd9dfa8187318b38e731a658e513f561ee178766e74d39

SHA512
4b473f45a5d45d420483ea1d9e93047794884f26781bbfe5370a554d260e80ad462e7eeb74d16025774935c3a80cbb2fd1293941ee3d7b64045b791b365f2b63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\local\uriCache_

Filesize
1KB

MD5
1ee1bbef8bab34e150db4b476352eb8b

SHA1
72c39a114ca918666e35d3fc43f3e62f3fa5da8c

SHA256
7fd1583777702a14fcd1567204fcf13ee3e4e09ca6127eb666c3d207dc5344be

SHA512
141ee7aacdab30d956bc62ae7bd22dbdc5edf5bc2a4c03916eed1eb89eacfd1c1e8cda7a8e7a5fadf5cb805bfd763c9d393f61cfeaca7f8f78ca700d095ba71d

Download Submit
C:\Users\Admin\AppData\Local\Temp\UDSGmbRKJ52C.exe

Filesize
277KB

MD5
dac0c5b2380cbdd93b46763427c9f8df

SHA1
038089e1a0ac8375be797fc3ce7ae719abc72834

SHA256
d02538788fb57f568ece292f5fc20e9775c86d504de67f57e22534f84adc73c6

SHA512
05cc1f6bf25a6545a06c735ae7a4a7fc25489bdb9fbc8d5797be623982662c4a93cba2d20bfe14313ef1548eaaa691e55fabdd8e3d3e45de9ab42dc62f9a7023

Download Submit
C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

Filesize
409KB

MD5
4c2bb0618a6eda615c8001d5a7ccd6c0

SHA1
c88d2c8bfc5906a5cfef78893d1132edcffd71f0

SHA256
abcda524c02f9381d8d43f9ec0079d854db821d77f45e88f50606f46871f81d6

SHA512
6abe53339656a023e2a0547f1c2249789c33091d67a21f2e689c6411dc5357e34ec3c65634b6f6955a5023d20803f7c746b13f574bcd84b008abb4a97ea61027

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 774147.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
\??\pipe\crashpad_4532_QYDKVTUAVLTVOBDJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/376-16-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/376-2-0x00000000057E0000-0x0000000005D84000-memory.dmp

Filesize
5.6MB

Download
memory/376-4-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/376-1-0x0000000000890000-0x00000000008FC000-memory.dmp

Filesize
432KB

Download
memory/376-0-0x000000007523E000-0x000000007523F000-memory.dmp

Filesize
4KB

Download
memory/376-7-0x0000000006410000-0x000000000644C000-memory.dmp

Filesize
240KB

Download
memory/376-6-0x0000000005ED0000-0x0000000005EE2000-memory.dmp

Filesize
72KB

Download
memory/376-5-0x00000000051B0000-0x0000000005216000-memory.dmp

Filesize
408KB

Download
memory/376-3-0x0000000005230000-0x00000000052C2000-memory.dmp

Filesize
584KB

Download
memory/1048-319-0x0000000008500000-0x00000000087AB000-memory.dmp

Filesize
2.7MB

Download
memory/1048-318-0x0000000006FB0000-0x00000000070FD000-memory.dmp

Filesize
1.3MB

Download
memory/1048-320-0x0000000008500000-0x00000000087AB000-memory.dmp

Filesize
2.7MB

Download
memory/1048-314-0x0000000008500000-0x00000000087AB000-memory.dmp

Filesize
2.7MB

Download
memory/3932-13-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3932-20-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3932-19-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download
memory/3932-18-0x00000000065A0000-0x00000000065AA000-memory.dmp

Filesize
40KB

Download
memory/3932-14-0x0000000075230000-0x00000000759E0000-memory.dmp

Filesize
7.7MB

Download