privateloader | 5eb722b1af29eaaa64b029ffc54dddae92acbb9c1b778b6bc51551329ed241e8

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9bd29cf05e48e1f9b5f02750f58864848d24e66aab5b629f9133b674bc59b527.exe
Size

2.2MB
MD5

41a5588669b0b38da40a5930eb6425bc
SHA1

d3f879a49d16a82b0deba11f61f651776e926a9c
SHA256

9bd29cf05e48e1f9b5f02750f58864848d24e66aab5b629f9133b674bc59b527
SHA512

d3c8004487b9b7d752e1128f6d0f7e01bd893f21fda77e1c46fa4799a70bafa5457d5e8c91d802c05022968f2dc8d25ac21d4045853a0b7558e1cd2d04234828
SSDEEP

49152:xlyS7Fm/SvrozpOg0vs71TFrRAPmtftq+1PY8Ou:fySFXo1Lx7T1APUk+1ww

Score

10^/10

privateloader redline risepro smokeloader horda backdoor paypal infostealer loader persistence phishing stealer trojan

Malware Config

Extracted

Family

risepro

194.49.94.152

Extracted

Family

redline

Botnet

horda

194.49.94.152:19053

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral14/memory/4468-47-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Drops startup file 1 IoCs

Processes:

AppLaunch.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk AppLaunch.exe
Executes dropped EXE 8 IoCs

Processes:

iQ7jF15.exeUC5XT89.exeHq3xN22.exe1Ts79wh2.exe2HH7799.exe3qZ54PU.exe4gF248wy.exe5Up2Lj8.exe

pid process

4512 iQ7jF15.exe
4312 UC5XT89.exe
4748 Hq3xN22.exe
844 1Ts79wh2.exe
3828 2HH7799.exe
1980 3qZ54PU.exe
1688 4gF248wy.exe
7064 5Up2Lj8.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	AppLaunch.exe

pid	process
4512	iQ7jF15.exe
4312	UC5XT89.exe
4748	Hq3xN22.exe
844	1Ts79wh2.exe
3828	2HH7799.exe
1980	3qZ54PU.exe
1688	4gF248wy.exe
7064	5Up2Lj8.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9bd29cf05e48e1f9b5f02750f58864848d24e66aab5b629f9133b674bc59b527.exeiQ7jF15.exeUC5XT89.exeHq3xN22.exeAppLaunch.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9bd29cf05e48e1f9b5f02750f58864848d24e66aab5b629f9133b674bc59b527.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	iQ7jF15.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	UC5XT89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	Hq3xN22.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	AppLaunch.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4gF248wy.exe	autoit_exe

Detected potential entity reuse from brand paypal.
phishing paypal

Drops file in System32 directory 4 IoCs

Processes:

AppLaunch.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	AppLaunch.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	AppLaunch.exe
File opened for modification	C:\Windows\System32\GroupPolicy	AppLaunch.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicy\gpt.ini	AppLaunch.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

1Ts79wh2.exe2HH7799.exe5Up2Lj8.exe

description	pid	process	target process
PID 844 set thread context of 3044	844	1Ts79wh2.exe	AppLaunch.exe
PID 3828 set thread context of 4468	3828	2HH7799.exe	AppLaunch.exe
PID 7064 set thread context of 5648	7064	5Up2Lj8.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

AppLaunch.exe3qZ54PU.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3qZ54PU.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3qZ54PU.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3qZ54PU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1592 schtasks.exe
5100 schtasks.exe

pid	process
1592	schtasks.exe
5100	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
2056	msedge.exe
2056	msedge.exe
3256	msedge.exe
3256	msedge.exe
3720	msedge.exe
3720	msedge.exe
5608	msedge.exe
5608	msedge.exe
6140	msedge.exe
6140	msedge.exe
6332	msedge.exe
6332	msedge.exe
2772	identity_helper.exe
2772	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

Processes:

msedge.exe

pid	process
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe

Suspicious use of FindShellTrayWindow 31 IoCs

Processes:

4gF248wy.exemsedge.exe

pid	process
1688	4gF248wy.exe
1688	4gF248wy.exe
1688	4gF248wy.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
1688	4gF248wy.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
1688	4gF248wy.exe
1688	4gF248wy.exe

Suspicious use of SendNotifyMessage 30 IoCs

Processes:

4gF248wy.exemsedge.exe

pid	process
1688	4gF248wy.exe
1688	4gF248wy.exe
1688	4gF248wy.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
1688	4gF248wy.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
1688	4gF248wy.exe
1688	4gF248wy.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9bd29cf05e48e1f9b5f02750f58864848d24e66aab5b629f9133b674bc59b527.exeiQ7jF15.exeUC5XT89.exeHq3xN22.exe1Ts79wh2.exe2HH7799.exeAppLaunch.exe4gF248wy.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	pid	process	target process
PID 1376 wrote to memory of 4512	1376	9bd29cf05e48e1f9b5f02750f58864848d24e66aab5b629f9133b674bc59b527.exe	iQ7jF15.exe
PID 1376 wrote to memory of 4512	1376	9bd29cf05e48e1f9b5f02750f58864848d24e66aab5b629f9133b674bc59b527.exe	iQ7jF15.exe
PID 1376 wrote to memory of 4512	1376	9bd29cf05e48e1f9b5f02750f58864848d24e66aab5b629f9133b674bc59b527.exe	iQ7jF15.exe
PID 4512 wrote to memory of 4312	4512	iQ7jF15.exe	UC5XT89.exe
PID 4512 wrote to memory of 4312	4512	iQ7jF15.exe	UC5XT89.exe
PID 4512 wrote to memory of 4312	4512	iQ7jF15.exe	UC5XT89.exe
PID 4312 wrote to memory of 4748	4312	UC5XT89.exe	Hq3xN22.exe
PID 4312 wrote to memory of 4748	4312	UC5XT89.exe	Hq3xN22.exe
PID 4312 wrote to memory of 4748	4312	UC5XT89.exe	Hq3xN22.exe
PID 4748 wrote to memory of 844	4748	Hq3xN22.exe	1Ts79wh2.exe
PID 4748 wrote to memory of 844	4748	Hq3xN22.exe	1Ts79wh2.exe
PID 4748 wrote to memory of 844	4748	Hq3xN22.exe	1Ts79wh2.exe
PID 844 wrote to memory of 3044	844	1Ts79wh2.exe	AppLaunch.exe
PID 844 wrote to memory of 3044	844	1Ts79wh2.exe	AppLaunch.exe
PID 844 wrote to memory of 3044	844	1Ts79wh2.exe	AppLaunch.exe
PID 844 wrote to memory of 3044	844	1Ts79wh2.exe	AppLaunch.exe
PID 844 wrote to memory of 3044	844	1Ts79wh2.exe	AppLaunch.exe
PID 844 wrote to memory of 3044	844	1Ts79wh2.exe	AppLaunch.exe
PID 844 wrote to memory of 3044	844	1Ts79wh2.exe	AppLaunch.exe
PID 844 wrote to memory of 3044	844	1Ts79wh2.exe	AppLaunch.exe
PID 844 wrote to memory of 3044	844	1Ts79wh2.exe	AppLaunch.exe
PID 844 wrote to memory of 3044	844	1Ts79wh2.exe	AppLaunch.exe
PID 4748 wrote to memory of 3828	4748	Hq3xN22.exe	2HH7799.exe
PID 4748 wrote to memory of 3828	4748	Hq3xN22.exe	2HH7799.exe
PID 4748 wrote to memory of 3828	4748	Hq3xN22.exe	2HH7799.exe
PID 3828 wrote to memory of 4504	3828	2HH7799.exe	AppLaunch.exe
PID 3828 wrote to memory of 4504	3828	2HH7799.exe	AppLaunch.exe
PID 3828 wrote to memory of 4504	3828	2HH7799.exe	AppLaunch.exe
PID 3828 wrote to memory of 4468	3828	2HH7799.exe	AppLaunch.exe
PID 3828 wrote to memory of 4468	3828	2HH7799.exe	AppLaunch.exe
PID 3828 wrote to memory of 4468	3828	2HH7799.exe	AppLaunch.exe
PID 3044 wrote to memory of 5100	3044	AppLaunch.exe	schtasks.exe
PID 3044 wrote to memory of 5100	3044	AppLaunch.exe	schtasks.exe
PID 3044 wrote to memory of 5100	3044	AppLaunch.exe	schtasks.exe
PID 3828 wrote to memory of 4468	3828	2HH7799.exe	AppLaunch.exe
PID 3828 wrote to memory of 4468	3828	2HH7799.exe	AppLaunch.exe
PID 3828 wrote to memory of 4468	3828	2HH7799.exe	AppLaunch.exe
PID 3828 wrote to memory of 4468	3828	2HH7799.exe	AppLaunch.exe
PID 3828 wrote to memory of 4468	3828	2HH7799.exe	AppLaunch.exe
PID 4312 wrote to memory of 1980	4312	UC5XT89.exe	3qZ54PU.exe
PID 4312 wrote to memory of 1980	4312	UC5XT89.exe	3qZ54PU.exe
PID 4312 wrote to memory of 1980	4312	UC5XT89.exe	3qZ54PU.exe
PID 3044 wrote to memory of 1592	3044	AppLaunch.exe	schtasks.exe
PID 3044 wrote to memory of 1592	3044	AppLaunch.exe	schtasks.exe
PID 3044 wrote to memory of 1592	3044	AppLaunch.exe	schtasks.exe
PID 4512 wrote to memory of 1688	4512	iQ7jF15.exe	4gF248wy.exe
PID 4512 wrote to memory of 1688	4512	iQ7jF15.exe	4gF248wy.exe
PID 4512 wrote to memory of 1688	4512	iQ7jF15.exe	4gF248wy.exe
PID 1688 wrote to memory of 680	1688	4gF248wy.exe	msedge.exe
PID 1688 wrote to memory of 680	1688	4gF248wy.exe	msedge.exe
PID 1688 wrote to memory of 3720	1688	4gF248wy.exe	msedge.exe
PID 1688 wrote to memory of 3720	1688	4gF248wy.exe	msedge.exe
PID 680 wrote to memory of 4748	680	msedge.exe	msedge.exe
PID 680 wrote to memory of 4748	680	msedge.exe	msedge.exe
PID 3720 wrote to memory of 4828	3720	msedge.exe	msedge.exe
PID 3720 wrote to memory of 4828	3720	msedge.exe	msedge.exe
PID 1688 wrote to memory of 4040	1688	4gF248wy.exe	msedge.exe
PID 1688 wrote to memory of 4040	1688	4gF248wy.exe	msedge.exe
PID 4040 wrote to memory of 1372	4040	msedge.exe	msedge.exe
PID 4040 wrote to memory of 1372	4040	msedge.exe	msedge.exe
PID 1688 wrote to memory of 2744	1688	4gF248wy.exe	msedge.exe
PID 1688 wrote to memory of 2744	1688	4gF248wy.exe	msedge.exe
PID 2744 wrote to memory of 220	2744	msedge.exe	msedge.exe
PID 2744 wrote to memory of 220	2744	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\9bd29cf05e48e1f9b5f02750f58864848d24e66aab5b629f9133b674bc59b527.exe
"C:\Users\Admin\AppData\Local\Temp\9bd29cf05e48e1f9b5f02750f58864848d24e66aab5b629f9133b674bc59b527.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1376

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iQ7jF15.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iQ7jF15.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4512

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UC5XT89.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UC5XT89.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4312

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hq3xN22.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hq3xN22.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4748

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Ts79wh2.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Ts79wh2.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3044

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:5100

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:1592

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2HH7799.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2HH7799.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3qZ54PU.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3qZ54PU.exe
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1980

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4gF248wy.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4gF248wy.exe
3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffb980646f8,0x7ffb98064708,0x7ffb98064718
5⤵
PID:4748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,4237916169939700891,14637013388661511492,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
5⤵
PID:1952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,4237916169939700891,14637013388661511492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
4⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb980646f8,0x7ffb98064708,0x7ffb98064718
5⤵
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
5⤵
PID:1240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
5⤵
PID:4180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
5⤵
PID:5228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
5⤵
PID:5236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
5⤵
PID:5780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
5⤵
PID:5924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
5⤵
PID:5336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1
5⤵
PID:5620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
5⤵
PID:6256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
5⤵
PID:6564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
5⤵
PID:6604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
5⤵
PID:6760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
5⤵
PID:6908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
5⤵
PID:7024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
5⤵
PID:6024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
5⤵
PID:7096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
5⤵
PID:6480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
5⤵
PID:7044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7376 /prefetch:1
5⤵
PID:3532

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7784 /prefetch:8
5⤵
PID:6560

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7784 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:2772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7888 /prefetch:1
5⤵
PID:5500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7876 /prefetch:1
5⤵
PID:5604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7936 /prefetch:1
5⤵
PID:5564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
5⤵
PID:432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7964 /prefetch:1
5⤵
PID:6436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
5⤵
PID:6420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5012 /prefetch:8
5⤵
PID:2976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,17696047242530909058,10829243477118983760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7184 /prefetch:1
5⤵
PID:6064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb980646f8,0x7ffb98064708,0x7ffb98064718
5⤵
PID:1372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1484,13351838257216700942,16935586058262285371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login
4⤵
- Suspicious use of WriteProcessMemory
PID:2744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb980646f8,0x7ffb98064708,0x7ffb98064718
5⤵
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,4234752261818752399,12208947978784661554,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:6140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
4⤵
PID:5112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb980646f8,0x7ffb98064708,0x7ffb98064718
5⤵
PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,9557486732122093944,1932776981464401893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:6332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform
4⤵
PID:3960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb980646f8,0x7ffb98064708,0x7ffb98064718
5⤵
PID:1256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
4⤵
PID:5204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb980646f8,0x7ffb98064708,0x7ffb98064718
5⤵
PID:5400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
4⤵
PID:5972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x17c,0x180,0x184,0x158,0x188,0x7ffb980646f8,0x7ffb98064708,0x7ffb98064718
5⤵
PID:6128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
4⤵
PID:1360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb980646f8,0x7ffb98064708,0x7ffb98064718
5⤵
PID:6376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
4⤵
PID:6772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb980646f8,0x7ffb98064708,0x7ffb98064718
5⤵
PID:6868

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Up2Lj8.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Up2Lj8.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:7064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Checks SCSI registry key(s)
PID:5648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1904

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
Filesize
101KB

MD5
89d41e1cf478a3d3c2c701a27a5692b2

SHA1
691e20583ef80cb9a2fd3258560e7f02481d12fd

SHA256
dc5ac8d4d6d5b230ab73415c80439b4da77da1cfde18214ef601897f661abdac

SHA512
5c9658f6ca0d8d067bfc76072c438ac13daa12d8c1fef33369e1bc36a592d160a2bdb22b4f3eed73e8670bb65107a4134e18e6dc604897a80cc0768769f475dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
72KB

MD5
fb61978b469612f4e00837e696bc6e46

SHA1
2a88c162600429743c7377f3cd776474a5241975

SHA256
b0cb6f2048283e33a7594f92e7f57eac02a6361ffcdedc99ab99c344e11efbdf

SHA512
64049519475d9ab99627279512ba5e52c24760760291ed3ff9d9f2fdb8398e21d51994888bc3301b2a158bb240ede65f157b15d33f1efc256c362bc743ca4ad7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
Filesize
51KB

MD5
f61f0d4d0f968d5bba39a84c76277e1a

SHA1
aa3693ea140eca418b4b2a30f6a68f6f43b4beb2

SHA256
57147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc

SHA512
6c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
Filesize
34KB

MD5
64af5e859cd411f58ba7ade44f5a8c26

SHA1
c1ccd85a8209e2bbb58c662f1b621d2cdf7d3565

SHA256
7d3be672a50529d4ed208efdb7a90fa467eea5adca9bf877e18b167a4511cc24

SHA512
61ec83ff7512bd438f0c7112111af73b1a6eedd1dbf515dfd19c41dc46e58ea4b998f0faee85e7fc75bbc2d142bbf6b337e52e76aec01f4c6725e9d733765240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
Filesize
223KB

MD5
253130eaad29f6b3a8d8e7815c0bd494

SHA1
a4f9c43a0a8bfdea2abb714a89628d9ab53911f1

SHA256
100b51f83c1ebf8717d0b03fbf1752724877a6c3828b30d24dbd649e1d70de23

SHA512
aec0c1d01c6d5c934091913bac199ec1bcfb87297a02237ebb71659dda8040f64217fc21d535efff9ef994085d74c12a7ee6e8ebf711a83f5afa61d765b257d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000041
Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
5KB

MD5
66cccb8ffe1187243626910dfec902a9

SHA1
88d005f6223b2ecce8de5c608d6b175c3280210f

SHA256
03a7a28d6a799b1b90c061e4eceb53aa096cf458a1cee969824ca84a9120580b

SHA512
062317c5bf75e21d1c3b86c2fa8bfb99082be949a027942162afc4e743e8bfa69647223e2a8d86124d7dc17c9dad2ba67db1d69deff2475a99ccd824c3244f17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
5KB

MD5
c05df678a47219947153a9e94d61e32d

SHA1
ba89480872603b0f42384fbf75c4ec353d3d8c4b

SHA256
1df5d5019e3856489f37398dd58a3dbe4af6ea5d38fa65619c3c5ed7b0430c4d

SHA512
50fea4519ca232862f42bc0f576e584fdcb00f38eff427e305f7fcdb33b5bae90aa0c21d78ca261e00bfff99b7fdce512be3119bd7b8c00a53c26925d2cc2c9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
2c55ac8127f804ec80f33247dc6e5381

SHA1
8a1f4ec009444bc4881f9c90b7e45ac9658b63ca

SHA256
2db78d32d1968239103eee9659303b610f90bca80636654203509af589858bff

SHA512
4d8c1a9015f42806245ff86cdfa9562b8bbaa1b4ff42bd18d0f6a036c375dfbee82de8ead006766fc1a976ca66983558bac4adfec1f82d3e9b34cdceb914ef0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
eb53d35046cce06e60ab0f5e82e7db17

SHA1
82dd49cafde2ede3a86c9dfa1ed0b7b5705a4a3b

SHA256
9436cf2979999317a396e661c6c74dac7258b5adf826eb2565f87091025bf678

SHA512
7c7cdd31bbb3bf8040858de40a805e5ff29ee0ea9b57b38e3b54adb56b04f8613e63a0a2177805a4aa764b7aa5d4545b675b28be3d3dbd0dc5eedc0fff4ea492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
c1fec5c8d50751e7faa54b56a551719e

SHA1
da0d6853fdd2ffa8c789745eb63173b5645e808d

SHA256
2e67f35b6f680596b93ed5a54ab64e43af4ae52ea70005e128a8491a56c18749

SHA512
4b16e3c405b0ce3901937c83b174472ade33f9beb9791e32c0448cb9cbe6dc965579a88aa0216070a890107759421a94a9b8a0b46466bd752cbaa66026b1d706

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
10KB

MD5
660d07c300e841e54eb727f355488ced

SHA1
a760a4adedf4bf9c89331f776fa95d60a1cdd794

SHA256
b0b2be0f35cb8efa3fc61ab4b14ae741bc1e85a79fef9c75c6bcb7f19b0c2b17

SHA512
817e7073886067e8e3fb9b3c2ac60a50ec3968e41e31bf7d4ea61dedd71fbf5104276ad242b00d7c753a26b45ce2cc877eb298c37fec74b56f5c23356c74c29d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
89B

MD5
e168fa81a08f5bee334904d0a023a615

SHA1
12fc47dbd95462a6b4d5894808f19ca986e7ab21

SHA256
117fa1eea69d5c6aee5cf9cd1d1ed3d8cd33a013c2ecf36e98ae4bdf17ca7f4f

SHA512
b262b60d3dd50f824b83b87c73cd0bba78b5447e621d5913d835c736630cb9265c43ac466b3c1cc705927681114bce7a319c7eaa3bad23ded6c442febc503084

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
146B

MD5
cfade1b2e7c45f221db4a57a981aea09

SHA1
62da990482caeef01a97e29856872bf8cab78f28

SHA256
e0a1e4c7e54288d35b995f9be977a505df715a8a86608f17d7aeaf0da3d1df1a

SHA512
8daf4538f1ca72f29ca7675c04d69b5f77b528143bc220ed66ac48728fa2e6eb9e405e81cdc1240501bef029ce4fc4e8d02b6dca0949234fa141d31f929cce7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
82B

MD5
738b0b612d4caaf26837d459a1130e1a

SHA1
0d1455da10c7fd62a8e5e7313d55c176aeb8899e

SHA256
6922b9e7a7cfdb4aded98a7d16c40f20e34692c435abb5ec3c02005121b56568

SHA512
f5cf344c88c22041928e00da629f1e6038ac99a34a48048ed647bc4d2322bdd79cf545e1b694e66d63ecc89075b8c435a71616cf99314ca511af95a91e10dfca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
1f568891daf79880edc8b0792e3aadc3

SHA1
22bc0c3973051d386d1ac3c1458779000ef699f6

SHA256
39c412ca1d8da5ced18bfac61f340ec502af51f35607d5ad138e56053eba53f4

SHA512
c2cbbc2119c6babd6426ea08e2160480a2af0f03b433b002dcdc3be40dbe090317f13c5f0eca1466274b58d076395134a43ebf23697c39682f5741db952b5cbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe586d8a.TMP
Filesize
48B

MD5
66277b73ebc1286d116fc2eb01e25904

SHA1
7189ef63c1dc6e7df3fea0b4f262b9faae100521

SHA256
f1d7a6b75243dcae3b921b0d6b6a43a9be8f0524f6af59845868eae9466f7cf2

SHA512
290940dfe316e88a5daf35187ce69167b2fecc20ff497ba3f46ea80877e5642e379f989d8c3a947021491f0ddeb3aaebbba0b827e8a3059723d4120f108be8ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
ebc771213703c89723b8e415cca43555

SHA1
1aeefd15e3ee069ff5dad3f891ab34b16be4e5df

SHA256
532aed74e4715ef29096e20de4611bf006f22e2065b40ea2305ae8b2696029a4

SHA512
290c39a4fa02970c951c825d04544a219b2cd33206689a65c21a01437598986db6847923a456bc19ccec3347d762845be763769a12e3e1483a35d222081dfc76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
21069594d995e933af81454d5f7664c2

SHA1
96a45d33c441bf1776beaf8a797b6212f9e181f4

SHA256
b2c12844c5bca173fcd34e0ff9c62d190e5618bdcea447be786ad848b53e4f66

SHA512
b8b283831f841a567736c6c8a530729355f88e0a40a70df830f58f834a52b3f02af03ee9478beaff9c539dd65b4ec6711c9989fa1d2611a29d1ca74413a5c64d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
4KB

MD5
15035b3a3b1547cdf0981b50d6faf19a

SHA1
98265217da4ee9cf2ddfebf1b66f66864fcf4dd9

SHA256
fdf22af7db7cb9cf96c0933a85f4596319ed7b951f65e5a837d7ff73a7d816ed

SHA512
950f1647a29ee47b0c00fc868a483fa68620b3ac3c8a9927cb2ccdb7c9cbd9e4a3b1f38d98b7105a2225afddae59a2af3efd412d326f1e3ffc322d4ddaf6ef67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5822a6.TMP
Filesize
3KB

MD5
afea9565da9f471c6d77e2fa0813d47e

SHA1
aebfab9ec4d1c5f79b77a5477ed70cb0c38f088e

SHA256
fd69a21f7236f92a8733f311f253673fcc27b47ac182c6cd94a708a0c6e1d0f1

SHA512
62074c08bdda8f71d9551f955fd10392ed1b89e1645bf0e2b5817307444d8db637afb402cf38f628b70ee005e438f660aa3c4b9d56b347db29784c64452bd1ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
90133c034e69374a84c0b3a599173ebf

SHA1
492f639247acee316ac3e52615c9e2abea6ff206

SHA256
636b37452c8a1a8311dd740f79cb2990adbec2cfbe391f6e86b2d6513650a96d

SHA512
3ea690428aed0c9fc7ad00c8fec859bb97b5255c43e72609b2905d963e28698ae376fcfe840ae6e87aeb371969f169860c34bd78a227976574dc8cd7482e5e0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
9df388a7187ed32534d868016dbdb3ff

SHA1
24bd757378c6497e6ea3b20c9d263b5b3fdb5d87

SHA256
1734f5f61dd420c265007ec36976e2b2f89f56c45806aad311c811b732522b8b

SHA512
c42dd427197e687b46a15689158c0114ee8dab618445d10392dad8b25d54c33aed3ee82b86d3babdc45fb29b007c4220bca804a7bf8ca6582f232377b005ce0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
b99e8a8c4f49c2bf3d68ced7a63abebf

SHA1
b089c60a3c4df7bf58b069bd876d628b5e3e91a0

SHA256
d33fdf87b23ff202d6890e674192917453cf4cb0a7995533be55e442de69f5d3

SHA512
8bdfdfad0378238ac52c5ceedc79addf47c4d2f00a969269b68bbfaea219c98236ff02cd3ef0c51420f1187f0d98c8f32e051c8a41d41e0f565d36fb902ab921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
f3c0f0051b95fcbb89b424be82eb2e91

SHA1
5aea17f111fe28e7421101ef37f1ce829c930f49

SHA256
c4fa72afd5c4e35d1fed5bc12083d8eeb78f16e96f13199b07d2350018021b34

SHA512
98b2b6e6e4960841ce91e788157925a6fb02839a169c3456b74dfd0df378ca2915bf654700b0a17173b61ac530ac792c5df2c8061dbd29192c7435e5d2812660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
a83b6e40caac3a6d4abd977d7b3ffdaa

SHA1
8245553b4af4f529d71e9d8c9527d908fc870c1c

SHA256
4acd9d87c49224ba47817053bb712566fb7b250ff71203979465dcb12ddcffa3

SHA512
cfb0c11b367cdb60cc6e364a4a0f0b14a847d1f4fd598d1e06c8784077531acf87eac6f746ef1a56ab69c23660c4a732213775dffbbde40a6235143f9d14b61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Up2Lj8.exe
Filesize
903KB

MD5
bd43781793fd3f18b3ac8a361cd107fa

SHA1
f711e4c4db3c3149c4c1022bb907dade89753c57

SHA256
640f6711d97819802f6db40cadd440fb27d02638deef19515ddc9f4d9bc3c1f1

SHA512
3ca9621417bdb97d226a8bddfbde3c792af7bbe173b508ab31adb2ca191ae71274854db5301dc41a6925997beb56b65ee8389e326de3d441df619ed1d944aaba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\iQ7jF15.exe
Filesize
1.9MB

MD5
6d758e36ee2689ab57a938c774e78bed

SHA1
8ada8a357a7c947f5ffff72fd4f81fb7d2f9bdb9

SHA256
384f0986d5da7808aae143f27c06b11b17ceddb068ba2e674968f5fc98a4e24e

SHA512
7dab12e3a5928b3c702220769d8fbacf88e414949868759a5a3f7b783e7fd84794bc57562d19a651d1d5ed38ac1b668caa654b6860e7b35241151841b4faa7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4gF248wy.exe
Filesize
896KB

MD5
c66a350bb7c9f45ab16ebab8330b1a59

SHA1
b1a99813d8cde31801d8ea2ccf7ba2808577c09f

SHA256
36922b84b48eda965d2fb7bb4a71512d489291e48c1aabc6d07fab4d884ddb1d

SHA512
7c33ef134614e458cdaf3d8154057e7d3c521e10d0aabae9a8c290fdf87a70a9bc4c377c1f93981b07af92a798d8f253aefb3dd03e2d3b80a82be9b76219448b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\UC5XT89.exe
Filesize
1.4MB

MD5
977d1a5245cc8c400de76103e0127e4a

SHA1
3f2e623e06a1cba5d3af81790d210d9e883abf85

SHA256
78732ecceaf31d152467b6b6a9b62ca2cafb3416fe518d5735ad10fc29e5c0f4

SHA512
bc12b62763dd5d86ff62b092772bb403a152eeb8a5b2b949a929bfd28c8acbcaacf35777513d8c5c88404f19db532f36a85592cc429da1ef6cb2d0141f43a75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3qZ54PU.exe
Filesize
38KB

MD5
6308a6424550cddc520d5e3c7aa94131

SHA1
70f80cec66da63434c56c3905598075f93358943

SHA256
441ca0833af64e14b0ee0d9ea2db9ef382905e815a5a66930e7b1d3bcd532aa0

SHA512
c782e9e54e97690e0e8e948d44f87063f7049782e94ccdd861186076763a3184f4f7f1762b138531a720eaaafc9d97409e8c1d1756c2570de3b5e4458eaf665f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hq3xN22.exe
Filesize
1.3MB

MD5
63def80423a6bfc499eaf5242eb26d49

SHA1
b8894e19f241ad3929d14d38228f494e25028235

SHA256
89b1f61aa4bc145a4bef37dc72c42eec062e319f815a8504b905d89618204c6e

SHA512
e06a9910d7527e9da6a7bb1b8e699357fd85abc4d63d1f4495de307133c6ae9f8e54c5e5ce5114d668b7fa5c80518b7bec5e666bb2e11149a4ccf46cf7dbd84c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1Ts79wh2.exe
Filesize
2.6MB

MD5
5ff9961333452a50425eb4edf23ec91f

SHA1
7215d2cecf30f5d7494d850e453dacc066590d1e

SHA256
271bd339d837392402b1bca65e8327574127aa7166b0a0e4bbbc1f01ad3b85a0

SHA512
b1d883ea20077eb0fcbd27459a0d26ccdeb755d1cb1dd3a7734eb569ae85993e51025936a559cfb0eeb8f53f94bbbbba5443e972b308c9823a9fddf7cf1b9f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2HH7799.exe
Filesize
1.1MB

MD5
faf25b703c6cdb034ea4cb0f6e09856b

SHA1
e2c44f1897528aff1c0db9ea76604822aaa6d365

SHA256
91b9b8c98de8a0019f0dc6376d4a25bb7fcacba543d3d93a66a1274cf8f02d3b

SHA512
3ad67674174fd678f1e31db3b6cfe4756d3b24ac1be843347f281c6cefd52c5972587211be025105e284b731de509b2a27cc2d234ebdc40f2c8ca777abe2a110

Download Submit
\??\pipe\LOCAL\crashpad_3720_TLEGYHGKYMQPLUHP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1980-62-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1980-50-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3044-28-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/3044-29-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/3044-31-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/3044-53-0x0000000000400000-0x000000000057C000-memory.dmp

Filesize
1.5MB

Download
memory/4468-61-0x00000000076A0000-0x00000000076EC000-memory.dmp

Filesize
304KB

Download
memory/4468-47-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4468-54-0x0000000007770000-0x0000000007D14000-memory.dmp

Filesize
5.6MB

Download
memory/4468-55-0x0000000007260000-0x00000000072F2000-memory.dmp

Filesize
584KB

Download
memory/4468-56-0x0000000007240000-0x000000000724A000-memory.dmp

Filesize
40KB

Download
memory/4468-57-0x0000000008340000-0x0000000008958000-memory.dmp

Filesize
6.1MB

Download
memory/4468-58-0x0000000007590000-0x000000000769A000-memory.dmp

Filesize
1.0MB

Download
memory/4468-59-0x00000000074B0000-0x00000000074C2000-memory.dmp

Filesize
72KB

Download
memory/4468-60-0x0000000007510000-0x000000000754C000-memory.dmp

Filesize
240KB

Download