privateloader | dcf4e78aa4f4a43375e6c66a708f11e84986bd1f7bacc1564324e028fcba76f4

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7de715d1ee0762a29e3132e9fda5b98002750ef8ee53571208fe8b92f6225f4.exe
Size

2.2MB
MD5

6605a2632bb83652e92d35f921000a8f
SHA1

caf8df90019c136baeaa723a3d2eaac31a845532
SHA256

a7de715d1ee0762a29e3132e9fda5b98002750ef8ee53571208fe8b92f6225f4
SHA512

9784135f09746f879fd95f4b028dfe9936736d63e12aba90cc2f97f73a6d0ccb2ab2137e8a2215d4ab95f8f337802aedf508736671a2fa9a5a2aaa6eed80cc46
SSDEEP

24576:nyjlfVvtJc9EK8bWMw6WT0DsnpwCNeY3o7RaIRgmp0C/YN+ce5Zyakgd2/cOjVrk:ypf9SZ9MjxCECeRgmx/rX5QWSN5n9a

Score

10^/10

privateloader redline risepro smokeloader horda backdoor paypal infostealer loader persistence phishing stealer trojan

Malware Config

Extracted

Family

risepro

194.49.94.152

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral11/memory/4552-35-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	AppLaunch.exe

Executes dropped EXE 8 IoCs

pid	Process
4036	cA8oj86.exe
3056	Eh2rL21.exe
1156	fM2dY32.exe
3040	1KI99VY0.exe
1668	2OM5342.exe
2296	3jB56uK.exe
2436	4AH821ig.exe
6456	5ZD6vs5.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a7de715d1ee0762a29e3132e9fda5b98002750ef8ee53571208fe8b92f6225f4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	cA8oj86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Eh2rL21.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	fM2dY32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	AppLaunch.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral11/files/0x000700000002344b-64.dat	autoit_exe

Detected potential entity reuse from brand paypal.
phishing paypal

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	AppLaunch.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	AppLaunch.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	AppLaunch.exe
File opened for modification	C:\Windows\System32\GroupPolicy	AppLaunch.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3040 set thread context of 1744	3040	1KI99VY0.exe	89
PID 1668 set thread context of 4552	1668	2OM5342.exe	93
PID 6456 set thread context of 6588	6456	5ZD6vs5.exe	157

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3jB56uK.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3jB56uK.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3jB56uK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4152	schtasks.exe
3108	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2428	msedge.exe
2428	msedge.exe
4052	msedge.exe
4052	msedge.exe
432	msedge.exe
432	msedge.exe
5612	msedge.exe
5612	msedge.exe
6980	identity_helper.exe
6980	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
2436	4AH821ig.exe
2436	4AH821ig.exe
2436	4AH821ig.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
2436	4AH821ig.exe
2436	4AH821ig.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
2436	4AH821ig.exe
2436	4AH821ig.exe
2436	4AH821ig.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
2436	4AH821ig.exe
2436	4AH821ig.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3808 wrote to memory of 4036	3808	a7de715d1ee0762a29e3132e9fda5b98002750ef8ee53571208fe8b92f6225f4.exe	83
PID 3808 wrote to memory of 4036	3808	a7de715d1ee0762a29e3132e9fda5b98002750ef8ee53571208fe8b92f6225f4.exe	83
PID 3808 wrote to memory of 4036	3808	a7de715d1ee0762a29e3132e9fda5b98002750ef8ee53571208fe8b92f6225f4.exe	83
PID 4036 wrote to memory of 3056	4036	cA8oj86.exe	84
PID 4036 wrote to memory of 3056	4036	cA8oj86.exe	84
PID 4036 wrote to memory of 3056	4036	cA8oj86.exe	84
PID 3056 wrote to memory of 1156	3056	Eh2rL21.exe	85
PID 3056 wrote to memory of 1156	3056	Eh2rL21.exe	85
PID 3056 wrote to memory of 1156	3056	Eh2rL21.exe	85
PID 1156 wrote to memory of 3040	1156	fM2dY32.exe	87
PID 1156 wrote to memory of 3040	1156	fM2dY32.exe	87
PID 1156 wrote to memory of 3040	1156	fM2dY32.exe	87
PID 3040 wrote to memory of 1744	3040	1KI99VY0.exe	89
PID 3040 wrote to memory of 1744	3040	1KI99VY0.exe	89
PID 3040 wrote to memory of 1744	3040	1KI99VY0.exe	89
PID 3040 wrote to memory of 1744	3040	1KI99VY0.exe	89
PID 3040 wrote to memory of 1744	3040	1KI99VY0.exe	89
PID 3040 wrote to memory of 1744	3040	1KI99VY0.exe	89
PID 3040 wrote to memory of 1744	3040	1KI99VY0.exe	89
PID 3040 wrote to memory of 1744	3040	1KI99VY0.exe	89
PID 3040 wrote to memory of 1744	3040	1KI99VY0.exe	89
PID 3040 wrote to memory of 1744	3040	1KI99VY0.exe	89
PID 1156 wrote to memory of 1668	1156	fM2dY32.exe	90
PID 1156 wrote to memory of 1668	1156	fM2dY32.exe	90
PID 1156 wrote to memory of 1668	1156	fM2dY32.exe	90
PID 1668 wrote to memory of 2268	1668	2OM5342.exe	91
PID 1668 wrote to memory of 2268	1668	2OM5342.exe	91
PID 1668 wrote to memory of 2268	1668	2OM5342.exe	91
PID 1668 wrote to memory of 4760	1668	2OM5342.exe	92
PID 1668 wrote to memory of 4760	1668	2OM5342.exe	92
PID 1668 wrote to memory of 4760	1668	2OM5342.exe	92
PID 1668 wrote to memory of 4552	1668	2OM5342.exe	93
PID 1668 wrote to memory of 4552	1668	2OM5342.exe	93
PID 1668 wrote to memory of 4552	1668	2OM5342.exe	93
PID 1668 wrote to memory of 4552	1668	2OM5342.exe	93
PID 1668 wrote to memory of 4552	1668	2OM5342.exe	93
PID 1668 wrote to memory of 4552	1668	2OM5342.exe	93
PID 1668 wrote to memory of 4552	1668	2OM5342.exe	93
PID 1668 wrote to memory of 4552	1668	2OM5342.exe	93
PID 3056 wrote to memory of 2296	3056	Eh2rL21.exe	94
PID 3056 wrote to memory of 2296	3056	Eh2rL21.exe	94
PID 3056 wrote to memory of 2296	3056	Eh2rL21.exe	94
PID 1744 wrote to memory of 4152	1744	AppLaunch.exe	95
PID 1744 wrote to memory of 4152	1744	AppLaunch.exe	95
PID 1744 wrote to memory of 4152	1744	AppLaunch.exe	95
PID 1744 wrote to memory of 3108	1744	AppLaunch.exe	97
PID 1744 wrote to memory of 3108	1744	AppLaunch.exe	97
PID 1744 wrote to memory of 3108	1744	AppLaunch.exe	97
PID 4036 wrote to memory of 2436	4036	cA8oj86.exe	113
PID 4036 wrote to memory of 2436	4036	cA8oj86.exe	113
PID 4036 wrote to memory of 2436	4036	cA8oj86.exe	113
PID 2436 wrote to memory of 432	2436	4AH821ig.exe	114
PID 2436 wrote to memory of 432	2436	4AH821ig.exe	114
PID 432 wrote to memory of 4528	432	msedge.exe	116
PID 432 wrote to memory of 4528	432	msedge.exe	116
PID 2436 wrote to memory of 2396	2436	4AH821ig.exe	117
PID 2436 wrote to memory of 2396	2436	4AH821ig.exe	117
PID 2396 wrote to memory of 772	2396	msedge.exe	118
PID 2396 wrote to memory of 772	2396	msedge.exe	118
PID 2436 wrote to memory of 4140	2436	4AH821ig.exe	119
PID 2436 wrote to memory of 4140	2436	4AH821ig.exe	119
PID 4140 wrote to memory of 4532	4140	msedge.exe	120
PID 4140 wrote to memory of 4532	4140	msedge.exe	120
PID 2436 wrote to memory of 5016	2436	4AH821ig.exe	121

C:\Users\Admin\AppData\Local\Temp\a7de715d1ee0762a29e3132e9fda5b98002750ef8ee53571208fe8b92f6225f4.exe
"C:\Users\Admin\AppData\Local\Temp\a7de715d1ee0762a29e3132e9fda5b98002750ef8ee53571208fe8b92f6225f4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cA8oj86.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cA8oj86.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Eh2rL21.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Eh2rL21.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fM2dY32.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fM2dY32.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1KI99VY0.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1KI99VY0.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3040
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Drops startup file
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:4152
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        7⤵
        Creates scheduled task(s)
        
        PID:3108
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2OM5342.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2OM5342.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1668
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2268
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4760
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4552
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3jB56uK.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3jB56uK.exe
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      PID:2296
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4AH821ig.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4AH821ig.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:432
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fff457346f8,0x7fff45734708,0x7fff45734718
        5⤵
        
        PID:4528
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
        5⤵
        
        PID:4988
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
        5⤵
        
        PID:2364
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        5⤵
        
        PID:3628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
        5⤵
        
        PID:5160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
        5⤵
        
        PID:5648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
        5⤵
        
        PID:5924
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1
        5⤵
        
        PID:6116
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
        5⤵
        
        PID:1476
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
        5⤵
        
        PID:5712
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1
        5⤵
        
        PID:5604
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
        5⤵
        
        PID:6132
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
        5⤵
        
        PID:6288
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
        5⤵
        
        PID:6576
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
        5⤵
        
        PID:6604
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:1
        5⤵
        
        PID:6756
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6976 /prefetch:1
        5⤵
        
        PID:7072
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
        5⤵
        
        PID:7084
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
        5⤵
        
        PID:6376
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
        5⤵
        
        PID:6516
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
        5⤵
        
        PID:6156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
        5⤵
        
        PID:4756
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2580 /prefetch:1
        5⤵
        
        PID:5344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7788 /prefetch:8
        5⤵
        
        PID:4348
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7788 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6980
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
        5⤵
        
        PID:6580
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7588 /prefetch:1
        5⤵
        
        PID:6644
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7600 /prefetch:1
        5⤵
        
        PID:6624
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6480 /prefetch:8
        5⤵
        
        PID:6684
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,506644744505470347,16979529895436928955,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8556 /prefetch:1
        5⤵
        
        PID:6156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff457346f8,0x7fff45734708,0x7fff45734718
        5⤵
        
        PID:772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,16075328795837083166,12231854599058462311,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
        5⤵
        
        PID:4488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,16075328795837083166,12231854599058462311,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff457346f8,0x7fff45734708,0x7fff45734718
        5⤵
        
        PID:4532
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,5993139386994368671,8532406731120718111,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login
      4⤵
      PID:5016
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff457346f8,0x7fff45734708,0x7fff45734718
        5⤵
        
        PID:224
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,6277401910297007581,16503172375765083568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
        5⤵
        
        PID:5948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
      4⤵
      PID:1336
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff457346f8,0x7fff45734708,0x7fff45734718
        5⤵
        
        PID:404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform
      4⤵
      PID:2732
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff457346f8,0x7fff45734708,0x7fff45734718
        5⤵
        
        PID:2972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
      4⤵
      PID:5600
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff457346f8,0x7fff45734708,0x7fff45734718
        5⤵
        
        PID:5720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
      4⤵
      PID:2004
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff457346f8,0x7fff45734708,0x7fff45734718
        5⤵
        
        PID:5656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
      4⤵
      PID:5996
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff457346f8,0x7fff45734708,0x7fff45734718
        5⤵
        
        PID:5676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
      4⤵
      PID:6160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x144,0x170,0x7fff457346f8,0x7fff45734708,0x7fff45734718
        5⤵
        
        PID:6268
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ZD6vs5.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ZD6vs5.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:6456
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Checks SCSI registry key(s)
    PID:6588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:2276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe

Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
72KB

MD5
e47f587733a563f8cdbbd3a827a93684

SHA1
1b08f0dcb77e69dd59ab48f8b5417a5c10bf89bd

SHA256
d390c27d2c04782586bce0b2df0c276c7338af7a7155a898299ff82079aec4a3

SHA512
b114ce251742e5919f9b73a585ae28498eb0c5509f5f453b3f028e573d5faea497972465e2688a2d0ff0c83945708d851d34bc0abaeaa7686cfeb6b9b4ce335b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
51KB

MD5
f61f0d4d0f968d5bba39a84c76277e1a

SHA1
aa3693ea140eca418b4b2a30f6a68f6f43b4beb2

SHA256
57147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc

SHA512
6c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
34KB

MD5
64af5e859cd411f58ba7ade44f5a8c26

SHA1
c1ccd85a8209e2bbb58c662f1b621d2cdf7d3565

SHA256
7d3be672a50529d4ed208efdb7a90fa467eea5adca9bf877e18b167a4511cc24

SHA512
61ec83ff7512bd438f0c7112111af73b1a6eedd1dbf515dfd19c41dc46e58ea4b998f0faee85e7fc75bbc2d142bbf6b337e52e76aec01f4c6725e9d733765240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
223KB

MD5
253130eaad29f6b3a8d8e7815c0bd494

SHA1
a4f9c43a0a8bfdea2abb714a89628d9ab53911f1

SHA256
100b51f83c1ebf8717d0b03fbf1752724877a6c3828b30d24dbd649e1d70de23

SHA512
aec0c1d01c6d5c934091913bac199ec1bcfb87297a02237ebb71659dda8040f64217fc21d535efff9ef994085d74c12a7ee6e8ebf711a83f5afa61d765b257d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005a

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
6ebf0439e5d4ec29750307164305258f

SHA1
9918a59f3515d90ca3fd5e805be39e3211bc0d7b

SHA256
c13f0c9fcdd84ea9e26f0e10851be4a4857c327be0f149df5bd6ab7e0cfce769

SHA512
a2a0610b4f493573e210f6a7acd798d582bfeec39c470e7c6fc2786940df9979823cfd7162cb026fc27bbfd64022df53fb472cd767a02a122cd40d93a0bfca52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
40a274fbfa858cd307a511d24c7fca95

SHA1
37ad67dd4b36f253434bb5a3d78b4dba19b97c8b

SHA256
1db449c31d8cd29ea3d2714bf6a01e46a2c1a7ae6117758f81c5597d32d52f6a

SHA512
90031e1f51324e2b3e0ebaf646b3cc3aac87ff31d519c482aad79c779a32ca9c78795a55ddc9c0deacf7e1b0e53aa42046c33058da6f11b129af80892f0d2966

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
799adb66323c3c6fdef5d035d916dca7

SHA1
aa3b303831fb3a8ace850597148ea31ce27aa4de

SHA256
6d3b3b9f270e7af11e143f4bb1829be982968ed1ec479d56745aa3a686ac56db

SHA512
b38f59c4e2ffb6f6c31faabf233f17802eda29c1eff778d376aaebdb6994f1e33aa7e7b9137db77917eff838f1281188dde9663df9e5f73d6187c60dbcfcbe8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
a91f30d05b3a31186737d4454d08d9ef

SHA1
d7810e2e2077502510a1e4e4b70e010554c2b079

SHA256
925e8db44ff0c2e00a10302765d2b61d3735fbe9fc8f8e921d087329ebdc2d79

SHA512
4a09af6bfde254735d3c7679d875475929e775465d29368cd64a614b1aa35658c5d7f9f8f8d9146ee8cf5184961700f076b0b17642712a416e29276123350b13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
0d90465b98f9c8d285f6a02629d88060

SHA1
b0271ca6a7e12f293c483ef386a3823b14b42e9c

SHA256
20b85f11c5419aeafface0344652d71745cf27aec91ae271e4758a6fe2b46ad8

SHA512
30d46049bc9c7cf1e786940e2e2a9902cd85f10830f026f1aa51d25f94ed15d8a2fa426f706ee8d42cf101cb4409d9499c03a05ae58850d0b7f12483f6139bce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
f1744f26f889057abc8a073fa0ecc505

SHA1
8ef3091d144f29e71b94dcf1e7975bd88b3b718d

SHA256
81d19da259de0b3d743909edf8fd18b8148beb94d698aef576ea5483868b7f0c

SHA512
221dd86fba624c0b59a39ded97be1e67444216c96e032cf69ebc9f676ffbaefd7d0b5d3a8513ae98150a7bfe7d8ff427b7bd46311dbecbcaf25e287e613c1166

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt.tmp

Filesize
146B

MD5
c758c99fee2777bee2dbde3ee561a4b0

SHA1
a6f0fe0a15d338735277a93eb2727f11966a1c4f

SHA256
054066bcd4d28a5165cdcc0eee80d52573cdc2aab8bdc1ad37f69392db65fe6a

SHA512
70de1b8e7ca61fa56e725e7988616cbbcca66b297bd5d9bc32c92c9c55292c0cce8c6ba76eb7ca2b6b3e571a7a26c99479fc984ffb8ecf27c47b3f1b943e77c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
8380a9258b9cc7a5586138670ac6e79b

SHA1
05b279d3e8d856455f35d99d3c8416b6e57b6e37

SHA256
0ae124e10cef573af533a8ed08ec014a6aae58be5acc1c35350bc21e14de6235

SHA512
12069137d106b00523b0d7a15305e47e74073199fe197f4a059fcebdbc6fe02d538c98539baf23273d449bb89d9038191e4f602e479c36d5b175296014694dbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe584a91.TMP

Filesize
48B

MD5
0b2392f2c752f71b9ac14e72361e9fe3

SHA1
acdbd1dd3699e9050702eace376e945c3f42bc68

SHA256
adb177fc7d0c5525763492581784c8849c0731a561b7c8ed6bd3ee29354325fe

SHA512
8a5fe5bc4d343523264d1efcec61fe76bead0da2bc00f641e2575d439bdd18146bb9e49fb930e34abaeb1292c0bcb14dcdab4ab6108d8651c6e671ea4b2b3a8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
860dc2119c0f56ed898d4f93b918d5f2

SHA1
9d5deadb682015a344c01b6c914a447058cc44f1

SHA256
7aed8cd1d5aebfaaa22ff51adbe99edb4d7a5b4bfcd247e25f0f6a4692064d85

SHA512
ca2f0a1edb82692d5569b339fc18b8845d3e83ba81c84946c3a14e122164d1b2e7a23b4920361f1066352d3475ad40d3d6bb149140ef23df1cd41ac0e23da74a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
1f08201c84d88cbbefa59bd652a9fb88

SHA1
5f46c4b886ee296eec2e9b90847a8942b8b79cc8

SHA256
9082c9dfe1ec5c05a48da08591a6e1ecaa45db74bd240d3f8cbc43b19fcd63a9

SHA512
d50d84798780e18de5a8fa381a7495c450de674dfa945a094b12138bc0705a19b5203717cda66d7f29648644101ddb437b3c82177a6c2fe513ec4579f96fc7fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
f249dd3ce298bed71d05c812e332b8e0

SHA1
6bef93ed5a75e1d496ccda28d20d62b955fa6763

SHA256
4db942041119da981f27d3ae823afd6b765312e0b6d971221c50901d024b377e

SHA512
e6799ce8c3ca5a0ebcebf72c542f66a30da0ec27b5911a39717152dfcb3f2a52aba546d99e585af75ad2bd9184ed35fb181a2d26ab987abe8448d00cb0ec6d08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580b36.TMP

Filesize
3KB

MD5
836bfd82c97872613ba26adbb8857cd8

SHA1
0b3d4ced792f33134f2952e757524857cb8861c9

SHA256
d98f2b8515ea355ca2dafba4741b0beb0a2e926b807531cc12ad9aa8f1fc7d83

SHA512
af1aa6c215d266676321f6e7f6c09b34cbd0245db89fe196bef3ce4ba187d6b293191cfdf8aea3a4c84d76cec51d01b1c34eca450f29b03591b8aeaf978423be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a8f38020-db9a-48a9-9bd0-9d085cb6fe38.tmp

Filesize
9KB

MD5
9e88d158c688b1db467119fdace1d0ab

SHA1
d41f3bae94eff68196622ad4bce166681b0c1b88

SHA256
f3e28c9145c8024a83f8822d27a61b192bfd46443c5f8b71bf929aa27c2a946f

SHA512
7ddc7b3c110c593d71645810b2c6d08a84f967b00ffe35021703fcf083ceafcccf33104b0410c4e6c6935290c1dc8ca2cffec2086ba9e802cc46d509fc135c8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f825b22e-4edd-453a-9471-2524397fc0ee.tmp

Filesize
4KB

MD5
8011e2e09e4aed4e02c0ab95b1cd2232

SHA1
847d6c15584eeef47e262c7ccdc083bbe1203319

SHA256
624d0fb42093647cc99dabb362d46350c0fe92c39ca868ae931dc446a9c2b23f

SHA512
d4cd6c2503587bbc03005270bf5eefca25bd66e483468f54e3b49f178c7c8c4829711f993336effc8b72bbe98f2c4ef40f49f6310b57855a309577a6cef924d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
18aaf903d98f0cc113aa6a63913d7370

SHA1
e11771893e3cec9ef42f17564c9ddb95465e3b2f

SHA256
8680bcf5edba207e55541c15c4b0383e2b02c5f7b681eed863530367be3d5657

SHA512
7956b42cf04f5d4856cc8c6b0d8c08f5112b0a4273f08ecab879008b0f26c4960d135e3072f64b29863b92b4fa3f260b65042c4bbd67c2173c81f9af764ad66e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dddb1c2b8027877ec1d346905a67cd02

SHA1
57c7e6c7fb63f8d0e0e3ad085129c85ff3364047

SHA256
d96c6f09db0588b118612dd6411cc71d399066c31d893c926eef187ec32c33da

SHA512
55e811d7effe42d6a6fab16b04fb11147568866692a52939fa1bd1f2267eac190bf83147d816f0fa20ebe3318e36df2327b0f2475cc9cc751c5059bbe5f74a84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
9ca234cf9f6df720aee966786b09689d

SHA1
ed6513f569064c4b742c3f4110fc39451fe15775

SHA256
d416c4919ba224aa058649687d419c0caed344b01884a100d3dde34b27bfd984

SHA512
e02bfa8c9dd9215d32c58a0f1438c05e515a4e6e27ac9aa8468894ac3ffa1567fc7c99fc213efeb56c95e369a1451aaaceccc3b9437587d5b72f42ca6fd7d030

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
df53b9854e6f9b94a599eba1a7c7f9da

SHA1
e3455f03e948505e23e779589a5ea06dd35ae092

SHA256
482d86a52971b452c0824fd3298716f4d06ec57400fced88363d9d6680064650

SHA512
246fc6ddef69a6005e0aedf80522f8f464c4bfae285b427c3f2d77100b5ad463cce623d2ac03714b7e0619cf32d4c8885334fac764c07837b9dfed23fe772a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5ZD6vs5.exe

Filesize
903KB

MD5
8a09194e25c4b3d2aa72ec9b25862d6f

SHA1
b5b1b8c7815c17c4351cc91c36ed5f583153f8e1

SHA256
493fd7fd2873cabb51150469262c09f27eaf22f0be56ec019e56e306dc4f5a61

SHA512
ff7fef3a62f7ebe634dafee4f56c0fe979b389dda97d748cef6ac261109aa461b3be087c5d39268bebaa914f4b15fdcd9f36b03a519f5000943724a72967132a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\cA8oj86.exe

Filesize
1.9MB

MD5
b144edd49fe2a66d24aae4eb1bd8c579

SHA1
f8d796e8d24cc7ff1f7168f2f8bedd8f07cb72fd

SHA256
bb761d61b1568e5eae034ad94e8d5831a3acaad20a6b954e3c8a2c99d1163216

SHA512
4c0fe182e476ec6f987d37d897b4a9f2a4a7cc03cf487621b6e11da63c46479c7f8f9656a717422a9bc8ae8c4b8df4c70c1b4e53eaafc341638eadf253d51762

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4AH821ig.exe

Filesize
896KB

MD5
0aa1bd76f7af084dbf48d2d9540c0839

SHA1
1974a293ba3941c2551d75895566e83e8e3dd342

SHA256
8bbd0b57100f621a2b615d95a3215d58e93a8cd4a1d54a85343602ed6b0252a6

SHA512
ec49221021d1e2ce9fc22097769c235b7ba0f97958d3b8a2b148656d5281248a656bfd828c77e695ba9c5ce08816080acfc84c89a2cb626574a25dd0f5b8003a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Eh2rL21.exe

Filesize
1.4MB

MD5
b8a895d2cd8b18fa8821d9e2cf8d0cd3

SHA1
517d4253a7995b80e7ba6fe3a1857f3a503f6c32

SHA256
907dba3a430f46e8910c5a1d91d048838d8de6c9b4eac0db3e8676b934ef7c7a

SHA512
e4fc2499330dfd97294c0cd8a62c7604b65f02f09019f7ef4098d49d76bd850ff9da09b4f1f7576ac543e44b835cbd31989ecca1cb3b796f8e163a851e1abc6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3jB56uK.exe

Filesize
38KB

MD5
151a95d6e5f0162f0263778998655432

SHA1
f84c0acbc8efa6bb025dec7bd89d797e1de896a8

SHA256
9db6177ea9ccd0ace91e830b62937fb399cc5341e900b67f4dbfda6aaee3dbd8

SHA512
48c7b42389f7b1bb02cd895fd10135804f7db4820363ee3754bca5204807d3f39709a2458d0738d81dd0b639065da4bfddfbcbc4e41ee76573651436b89a4022

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\fM2dY32.exe

Filesize
1.3MB

MD5
2cbb38e248264b5bec9a80db06d73552

SHA1
2024c1637fbe067cd2032a605d560a7f5d1d3d44

SHA256
b8a150e2b92ef33377f0d73d86e552c9854dbefaac95dc411510eb03cf510c09

SHA512
37569a4cebb3d95a139e22e74e7d2e156438b5e54cc5f6de517414463c43024714bbfbccb856035e0880c30abd7d22d1eae0d7d189e0f5390d842fa6ecc15126

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1KI99VY0.exe

Filesize
2.6MB

MD5
3da48ebb895fffcf6140ae40e44f3c1d

SHA1
cfac35998b3dac499419ddfc3a7587a6cc19dcda

SHA256
2d8e42bb3ceda0b271e1f88ce8c060569208fef54ea298fdf0252786fdefca46

SHA512
b803554602eca109fe8c2fbf9c331fd663967b8b08bca3e4d7d2bb59d0739a9e4118e7d987a15a2dfdef980cec3dfae4e2fae4eb554aaa3151e1cfdcf6e29e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2OM5342.exe

Filesize
1.1MB

MD5
3fe965a39eb3fe137be76fd5defd102a

SHA1
65c94de9e152d47ebd7bf7136299d8bbd2b72dcf

SHA256
c8a80acdfd2f99ccbc82b79681c5a2187bc3e19dc20a3b23302b72c973b3b9dc

SHA512
294fadf4704a2dbaab08670d5bcb41a1e46834e24e3869b67f6661763c8f1e68b1c2a12ce0b18d51f49638551fd96b1ff9c3f568e2c87a682d34ca5049147620

Download Submit
memory/1744-28-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/1744-55-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/1744-34-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/1744-32-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/2296-62-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2296-46-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4552-61-0x0000000007B80000-0x0000000007BCC000-memory.dmp

Filesize
304KB

Download
memory/4552-52-0x0000000007D40000-0x00000000082E4000-memory.dmp

Filesize
5.6MB

Download
memory/4552-35-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4552-53-0x0000000007830000-0x00000000078C2000-memory.dmp

Filesize
584KB

Download
memory/4552-56-0x0000000004E00000-0x0000000004E0A000-memory.dmp

Filesize
40KB

Download
memory/4552-57-0x0000000008910000-0x0000000008F28000-memory.dmp

Filesize
6.1MB

Download
memory/4552-58-0x0000000007C10000-0x0000000007D1A000-memory.dmp

Filesize
1.0MB

Download
memory/4552-59-0x00000000079C0000-0x00000000079D2000-memory.dmp

Filesize
72KB

Download
memory/4552-60-0x0000000007B40000-0x0000000007B7C000-memory.dmp

Filesize
240KB

Download