remcos | 51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2025, 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
Size

962KB
MD5

4a9440baa61be8363a372b0bbc5933ad
SHA1

9aa5380dc87829c6fa22e9029cadcab9f6221ef9
SHA256

51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c
SHA512

648bd4434ce14e15c3faba25945525fffec6dad028e8fe26982d70096ccd448ca6e114e10739b1e990ea65970db97897713b8054450f1cd98c9aacb596436b0c
SSDEEP

24576:fdFeteG2H+FLBvmhCWWmLiUZklZGIo/KCrB:FA9w+bvmhCWWpUZkbDo5rB

Score

10^/10

remcos graias discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Graias

185.234.72.215:4444

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
graias.exe
copy_folder
Graias
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
graias
mouse_option
false
mutex
Rmc-O844B9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2052	powershell.exe
1156	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	graias.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe

Executes dropped EXE 2 IoCs

pid	Process
2852	graias.exe
1904	graias.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-O844B9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Graias\\graias.exe\""	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-O844B9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Graias\\graias.exe\""	graias.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 3284 set thread context of 1288	3284	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	91
PID 2852 set thread context of 1904	2852	graias.exe	100
PID 1904 set thread context of 4596	1904	graias.exe	101
PID 1904 set thread context of 220	1904	graias.exe	125
PID 1904 set thread context of 4580	1904	graias.exe	135
PID 1904 set thread context of 5820	1904	graias.exe	144
PID 1904 set thread context of 5724	1904	graias.exe	153
PID 1904 set thread context of 5796	1904	graias.exe	162
PID 1904 set thread context of 5144	1904	graias.exe	171

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1576	3284	WerFault.exe	81
4028	2852	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	graias.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	graias.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2052	powershell.exe
2052	powershell.exe
1156	powershell.exe
1156	powershell.exe
3516	msedge.exe
3516	msedge.exe
1240	msedge.exe
1240	msedge.exe
4680	identity_helper.exe
4680	identity_helper.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
1904	graias.exe
1904	graias.exe
1904	graias.exe
1904	graias.exe
1904	graias.exe
1904	graias.exe
1904	graias.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

pid	Process
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe
1240	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1904	graias.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3284 wrote to memory of 2052	3284	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	89
PID 3284 wrote to memory of 2052	3284	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	89
PID 3284 wrote to memory of 2052	3284	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	89
PID 3284 wrote to memory of 1288	3284	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	91
PID 3284 wrote to memory of 1288	3284	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	91
PID 3284 wrote to memory of 1288	3284	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	91
PID 3284 wrote to memory of 1288	3284	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	91
PID 3284 wrote to memory of 1288	3284	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	91
PID 3284 wrote to memory of 1288	3284	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	91
PID 3284 wrote to memory of 1288	3284	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	91
PID 3284 wrote to memory of 1288	3284	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	91
PID 3284 wrote to memory of 1288	3284	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	91
PID 3284 wrote to memory of 1288	3284	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	91
PID 1288 wrote to memory of 2852	1288	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	95
PID 1288 wrote to memory of 2852	1288	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	95
PID 1288 wrote to memory of 2852	1288	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	95
PID 2852 wrote to memory of 1156	2852	graias.exe	98
PID 2852 wrote to memory of 1156	2852	graias.exe	98
PID 2852 wrote to memory of 1156	2852	graias.exe	98
PID 2852 wrote to memory of 1904	2852	graias.exe	100
PID 2852 wrote to memory of 1904	2852	graias.exe	100
PID 2852 wrote to memory of 1904	2852	graias.exe	100
PID 2852 wrote to memory of 1904	2852	graias.exe	100
PID 2852 wrote to memory of 1904	2852	graias.exe	100
PID 2852 wrote to memory of 1904	2852	graias.exe	100
PID 2852 wrote to memory of 1904	2852	graias.exe	100
PID 2852 wrote to memory of 1904	2852	graias.exe	100
PID 2852 wrote to memory of 1904	2852	graias.exe	100
PID 2852 wrote to memory of 1904	2852	graias.exe	100
PID 1904 wrote to memory of 4596	1904	graias.exe	101
PID 1904 wrote to memory of 4596	1904	graias.exe	101
PID 1904 wrote to memory of 4596	1904	graias.exe	101
PID 1904 wrote to memory of 4596	1904	graias.exe	101
PID 4596 wrote to memory of 1240	4596	svchost.exe	104
PID 4596 wrote to memory of 1240	4596	svchost.exe	104
PID 1240 wrote to memory of 732	1240	msedge.exe	105
PID 1240 wrote to memory of 732	1240	msedge.exe	105
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106
PID 1240 wrote to memory of 2160	1240	msedge.exe	106

C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
"C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
  "C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Users\Admin\AppData\Roaming\Graias\graias.exe
    "C:\Users\Admin\AppData\Roaming\Graias\graias.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Graias\graias.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1156
  - - C:\Users\Admin\AppData\Roaming\Graias\graias.exe
      "C:\Users\Admin\AppData\Roaming\Graias\graias.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1904
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4596
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xd8,0xdc,0x7fffa3ad46f8,0x7fffa3ad4708,0x7fffa3ad4718
        7⤵
        
        PID:732
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
        7⤵
        
        PID:2160
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
        7⤵
        
        PID:4988
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
        7⤵
        
        PID:4408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
        7⤵
        
        PID:3984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
        7⤵
        
        PID:3848
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
        7⤵
        
        PID:3976
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4680
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
        7⤵
        
        PID:2152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
        7⤵
        
        PID:4304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
        7⤵
        
        PID:3496
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
        7⤵
        
        PID:3572
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
        7⤵
        
        PID:1464
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
        7⤵
        
        PID:4972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
        7⤵
        
        PID:4692
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
        7⤵
        
        PID:852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
        7⤵
        
        PID:3504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
        7⤵
        
        PID:5076
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
        7⤵
        
        PID:5472
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
        7⤵
        
        PID:5560
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1904 /prefetch:1
        7⤵
        
        PID:5888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
        7⤵
        
        PID:5972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
        7⤵
        
        PID:1576
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
        7⤵
        
        PID:3200
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
        7⤵
        
        PID:1592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
        7⤵
        
        PID:4660
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
        7⤵
        
        PID:3556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
        7⤵
        
        PID:6036
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:1
        7⤵
        
        PID:5380
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
        7⤵
        
        PID:5696
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7108 /prefetch:1
        7⤵
        
        PID:6072
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
        7⤵
        
        PID:6096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
        7⤵
        
        PID:5608
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,11575960465964992267,7882717492899319439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
        7⤵
        
        PID:5400
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:3896
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa3ad46f8,0x7fffa3ad4708,0x7fffa3ad4718
        7⤵
        
        PID:428
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:220
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:3624
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xe4,0x108,0x7fffa3ad46f8,0x7fffa3ad4708,0x7fffa3ad4718
        7⤵
        
        PID:1916
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:4876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa3ad46f8,0x7fffa3ad4708,0x7fffa3ad4718
        7⤵
        
        PID:3544
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4580
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7fffa3ad46f8,0x7fffa3ad4708,0x7fffa3ad4718
        7⤵
        
        PID:5416
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa3ad46f8,0x7fffa3ad4708,0x7fffa3ad4718
        7⤵
        
        PID:5804
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5820
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa3ad46f8,0x7fffa3ad4708,0x7fffa3ad4718
        7⤵
        
        PID:1888
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:4304
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa3ad46f8,0x7fffa3ad4708,0x7fffa3ad4718
        7⤵
        
        PID:4800
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5724
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5276
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa3ad46f8,0x7fffa3ad4708,0x7fffa3ad4718
        7⤵
        
        PID:5264
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:2856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa3ad46f8,0x7fffa3ad4708,0x7fffa3ad4718
        7⤵
        
        PID:5828
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5796
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:3360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa3ad46f8,0x7fffa3ad4708,0x7fffa3ad4718
        7⤵
        
        PID:4432
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:2372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa3ad46f8,0x7fffa3ad4708,0x7fffa3ad4718
        7⤵
        
        PID:6136
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5144
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 1204
      4⤵
      Program crash
      PID:4028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 1136
  2⤵
  - Program crash
  PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3284 -ip 3284
1⤵
PID:1860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2852 -ip 2852
1⤵
PID:1880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\691c78e0-5c0c-4261-96e3-d3e6f75b8731.tmp

Filesize
5KB

MD5
87d6c97eef0cea9b00a2b30792cdc64b

SHA1
8dd35b2aa119ea8c65af56ab9498785202674ba6

SHA256
920fe7a052dbf48b5338eaa98d9456db023ad8be3dff670e29a6634102b70b03

SHA512
db67e0ce68acf57fd9114a5941520a9f9749dfb4f23bbf9e995e060076b059e9d87a9d843e86f84f9b99a7d8afbc99a64e946820b7d010e448efe00162e9b8bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
68KB

MD5
0cccccd82d68d5ff076e1bd047436ec8

SHA1
0b9d6ebef9ac1c03f8138e9fc9203f9cd69d2a73

SHA256
0e9d24e58133fdae2fe766ece9358afdc57da1568485bf36182851b6c1291246

SHA512
84c357d75e1b7c25249ef826bf5ea9ef4445f2d4f985ae7128363421ac28f1cf438256cb40cdfd2fcf9ad439900dfc7796f9ab850e0445dbbfab5c23f29575eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
487KB

MD5
831a0aa25af2c60a7380ea75c321d930

SHA1
140ec306c24ab6f348c4dde5900b219d817e2026

SHA256
8cdde5daa52335c0a4e416f6fc22aa80744207a38fc276bd65341c2d2e903557

SHA512
0147937b2b2cf9bbf7e8dbee2d598e156c6ce4ddff224b3dc48caed96e89038ecdff1ace743b82fdf6155c40b674f4b1983693dbe45c39898487d3b7be258161

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
89KB

MD5
6c66566329b8f1f2a69392a74e726d4c

SHA1
7609ceb7d28c601a8d7279c8b5921742a64d28ce

SHA256
f512f4fb0d4855fc4aa78e26516e9ec1cfabc423a353cd01bc68ee6098dc56d6

SHA512
aca511bfaf9b464aff7b14998f06a7e997e22fcbe7728401a1e4bd7e4eceb8c938bbd820a16d471d0b5a0589d8807b426b97292fc2a28578a62e4681185556c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
79KB

MD5
e51f388b62281af5b4a9193cce419941

SHA1
364f3d737462b7fd063107fe2c580fdb9781a45a

SHA256
348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c

SHA512
1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
34KB

MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
17KB

MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
19KB

MD5
4d0bfea9ebda0657cee433600ed087b6

SHA1
f13c690b170d5ba6be45dedc576776ca79718d98

SHA256
67e7d8e61b9984289b6f3f476bbeb6ceb955bec823243263cf1ee57d7db7ae9a

SHA512
9136adec32f1d29a72a486b4604309aa8f9611663fa1e8d49079b67260b2b09cefdc3852cf5c08ca9f5d8ea718a16dbd8d8120ac3164b0d1519d8ef8a19e4ea5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
259KB

MD5
34504ed4414852e907ecc19528c2a9f0

SHA1
0694ca8841b146adcaf21c84dedc1b14e0a70646

SHA256
c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810

SHA512
173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
62KB

MD5
8ccb0248b7f2abeead74c057232df42a

SHA1
c02bd92fea2df7ed12c8013b161670b39e1ec52f

SHA256
0a9fd0c7f32eabbb2834854c655b958ec72a321f3c1cf50035dd87816591cdcc

SHA512
6d6e3c858886c9d6186ad13b94dbc2d67918aa477fb7d70a7140223fab435cf109537c51ca7f4b2a0db00eead806bbe8c6b29b947b0be7044358d2823f5057ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\104b23e39498d6c6_0

Filesize
295KB

MD5
10458dbdaa6ae3218d0ea51423fc5f83

SHA1
026b92bc0e87c3ec3e391f9a21dc4f1e92612a44

SHA256
725e05af25b43c2a427a35da58f1374ec5fad6ec4a74f204ca155aa5067bcdaa

SHA512
31a3820d5c1207ce9d7426441e0ca2bd76a6c52e60f59ce13327038d684c7e98646a1a1596c2e25a09832d1c345f42058a6b0ea33ab894473db56328b7e980c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\26f1a435530e3442_0

Filesize
1KB

MD5
e97707bb622c5dbbb83c92bbc1df18ef

SHA1
c3a69969c05822e40e46481653f1d33fc59ddc2e

SHA256
16c245bbdcaf4f04d40e71556c6c23fb0d96d7b2f76a49aa09777d42c71748de

SHA512
27745a06f9cca23123bc2ce4d1ff719c077fee03c758ae5fde4ca2deccc726e158b6884241225f180a593aea5316f61c0573e33056ceeaf6720336b4171564da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3ab592dde6ff023e_0

Filesize
272B

MD5
649eca2dcf5cb42752315fc0763c07f8

SHA1
fbfeb89b09ed1eb9bfbedab5cb8e5fd514ab214a

SHA256
c843b964bc30578836ac9587420e5787809d1d5a6c58aaeef7d458601dbd5031

SHA512
08fc0e3d0f070ea1c8c738d5c0cff987491ae8ca270dcac230be65308623a5c593b230d94591d8c07c9cdb620214bae72b3beb56cae318f138cea14fd83fb8ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\67c896e8aae559d2_0

Filesize
291B

MD5
105ecf629753de17fa7fe6fce10a784c

SHA1
a542c5f4d26d42e16d6da2a7300ec95776266903

SHA256
58bb2a433fb9d922868bfd45ba327b467add9386cb2c5500ae3b61fb9cf0a296

SHA512
f77b7a1bffbf9e9006b9ab35d44894dbfb6231903a68c82188e4a1800ed17e836eac588578cbf6a5423af5922e9ba25ae513258a75adb79a056a67f61db88909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6d27e37422eb2ccb_0

Filesize
188KB

MD5
8bac7214950378736138a931ba51ac76

SHA1
47b1f0a4c141c7d46ced3f387a0a394e3b9fdf09

SHA256
143eb00111280eb36da97820d3d896eb2be0b249f90f946c92e04eef4c1b0d44

SHA512
082419981b734920eb7bd2c886ff9d5f94a25780198bc1cb8f1bd092ebcaec21c117710279dbaf1cf0765c9e800f34f539e24123f83cd51dcbc65d50ce5bd7ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7d3ff811bd19cab2_0

Filesize
1.3MB

MD5
c8ed69b623d223bd96eb1565f33b1542

SHA1
f4fea3842b566eaa992f4fafbbe8ac94775a615b

SHA256
a45d241b821016776145c2b6b7efb353e4938a95b5a525e9036ffb70b40e9117

SHA512
7eee3002e4769915e4ae96bb23b797d465b5a577a0b3ef1dceb8784ea7fbab1c315ed2595c4bd385a046a2c9aed1a7d7a01ca9f2038a0d781712d382b68858ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b74e8d4cf7668d25_0

Filesize
1.2MB

MD5
532e6dfc4e52826115cbf43d46a4d3a8

SHA1
ee72489a1e5ea2da26aff199f89fd707f0743add

SHA256
70a05fc073f7125cc5b15e2681204c7255a1212492e8ab4241397cb0d0e20b8c

SHA512
fc8a8468ee9b7ffecce0209e8c153beef40e216ae16e368a1e08acc5ddd41dc4111b99cd9fd1bd5bd91a49b82995c28447a3198d16b2067fae3511318fe7ba95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e91da4b52bb26ef3_0

Filesize
297B

MD5
bdd4ad735a1f32c02af53dabd02b6ddd

SHA1
60732cbd62a4fda05377abfc24c8d1bfeff9bce8

SHA256
03c7831de582df9d00c3d402aa6dfec7e43a63d4803968ca07011037b4c6581f

SHA512
00e35aca445e727658a0593067616c6e6457c4164b73293b3e498fbdc34eeb8f83f11cf8aeb10faff39ce073f58c82cbac5d9b313e099627f976ec05128bb87c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f29ed5b5251e1eaf_0

Filesize
269B

MD5
0fc6e9b652579ff48d810e92dbff6680

SHA1
d6bb24be50ce4742d3fd6afe6519328fa3f2de74

SHA256
75e576b6e5982b02024171c090cc77b43e37d35d428bbeecd82b39771efb5eae

SHA512
cc51173a775d3cb022bcfa5359a41cbcbdbab40c293f38d28437f2218d663db6d3a8aecbdb11570e449768754ba44d96bcddd87c3231adfcca3345e54fd84402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aa96569e1447398ac2263d6632f2a138

SHA1
e81013a736157bcf9f58cfa4328965d91e3f7297

SHA256
e2c38f1309085158a08f67f980d935b728c4fb1e95b64d67053c78cbcf8efb2a

SHA512
378cd587fd169e39cd0afa2c32103fdab05af5da27b3e7e2f8fa6c3d4964f54d3a2f26df2ec9303adc1157a72061ff0db7e2fffeb0456e2041da06d8c512166a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9595ddfd6ddb5bf72b8e880a4c0cd887

SHA1
8a6e714dd7e15c5de204ea20d807e1f79d484f3c

SHA256
6783659aaca5722f248ab4ca8adb11f5f9972b1bf104401aa93759fbf137ee08

SHA512
19f3783c6873d9d53cb462491e85167ec71d4fa4ac3fe363b423f9a6e0e2db4a4185078e0ce3f35cc043398e979efe01166592f53c59ff71f9da5bc9980cefee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
21ce104bc613c7f2a9e33811b0667eff

SHA1
73dcfff90c728cbabcd1302396bb866e813b14f8

SHA256
0960c841953c5298ca1edd2fac8c42fc22c00288349fe0b188abd5505bf4abf3

SHA512
13f125081fc6671e1c19e0a03263c7932a02a919e8b56bf45221547aa0057fd642dc7fe5d4eb86af0a0f0ebb654fb59b5698371639c241034b753fc5d321d6c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
03fe248a0bebb0cac85ac675d188e320

SHA1
3498f124312374f6251945a62f1b4971fdf7edf4

SHA256
d68291a0ee7a1251f7ae4fe83051af0edf8259925c53281a193f15e3badc6e86

SHA512
cba99de25da68756879ae3bcd560f8abfe33840889feac135e8687c461b6e73766de87ae173e027fef93acb18799ccd5a142cb42eb1857e18ac50c9521f8a0b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0a1359a53392d5df0628f1cd256ee7c5

SHA1
78baf7b07636ca757941331c4de8711f83bbfc93

SHA256
d840df2ed961d48f2f26211d382d997a56035b937fff089834c999d780b33a2b

SHA512
618559cba7d8b72dcc04d92f44c99e04d4de409d8239d8cfacdad033bab991bde790776f9bc753d130f587218d478b23e869eee67a5507bf3cf8a0222214f4d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0d87c13fa6d6de07eb1f4a573ae34ae3

SHA1
abee95f2b46110773a3b3594c9b0cba6ff617394

SHA256
2fdeaf77fe7228656f145e9237b3d67d4c023a3afa54ceea9d8c6df8559849ff

SHA512
415065419bb0aa1fa1ad130fb8b229a2563b7779b6c9c1d7f42d6ba860c731731a35982c8a381cd076d9834d973e7796328113fe64df35db051427cd3ac45388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
352c8681383791dfc2c2812b6a2f1446

SHA1
7dbbf30a1b0fef7f01a40029d6ed509adb982ebf

SHA256
882772c891dfeeb89ef4bfb04f0341ba248bbd3113ec4e51ff477c7e6bdb68a6

SHA512
47f4b920e1e9d6d34aba99e736ed10b92b922af94a08d23e58ceacc9ea69572d1e38f99b4d8ee1ae3c4ce48ee42b69d99c8f18385a2d890a56b7a5f3946ac233

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
a6b5da300b5a5ec4c0586a5381a4cdb4

SHA1
339cde52a46c5510356dfd4d9f8b4903536aecb4

SHA256
243c36cd33f866ee2144f27a62b2295bf554ce92bc308ce2ee6f723409215bbb

SHA512
ad89e3ce7723e2a1b2e5a68cccdb2b366c6ec7605b7953146939a652d70f466d5b2587cec6c7459d0a68c81e721e7631815d039a604b299697abc907187aca7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
b3a7e06bdcfcd520d1c317222b54d412

SHA1
d305533fc5b3a1e0475254527dd2b1fab2d5b363

SHA256
216dfeb354715fde86ef999756e32266f793c9a528019dd4cd095e74947cb4ae

SHA512
d49dbd036774996c76f54a5f450c9f02b7c6cc5da2e8e58d1c7a75f561d1dbead4c365c348c5960ddced3f84a575789db7b8180425d6d474b7b5a64c4eb2353c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
8f9b2206b532f49f6cc3dae2a405b37e

SHA1
0b068b961bc2cfb9586d6b2899a8c5834a2c992b

SHA256
93d2a1bbb1901a48ce1dd34e394686cdb50cc27dc6f79e7b94ab1924834cb40c

SHA512
43bc24b52efd2bb713675e6a714dc9abcf60be6736f99127cb38f1c684d6ee1fac655250c078dc0886d5bbc25f4ebc810bba7c02183a3f3d42a7b3a563c823e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
a69a87bc411803b2dc5fef4f45bd7988

SHA1
c6c381af662dbf3141184ef5d66546e5c3320ebe

SHA256
97f135fd3765e0c9e36c6444f01498078b64c7c6d692bdffc65f2edea2fd3a69

SHA512
d7aca10e8cd9ca21854bdd53e1b34187350db8c28d75214c71960b26653628747a9848fedc1bae8a511488069bb8a6b7bc9af5a6d2b8c5f827085c93851c85eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
d0a104e9d272959c359d261e3978f161

SHA1
94e07a2effb2a7a99cd9bed2a87da96edc45698d

SHA256
6071b3689fcccbad3423636daf0bcc7e81a7dab4c65b40341cd4b5b92513fa40

SHA512
500f8ca6d77bac16d7547c853ddf815793f0a77ecd99d26842d6bbec217b3ebd72a0cacc34944e610d9a96b899f2fc584d0fd348304617ae286ff7b09a3386c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
c54ec49f5b4cdc4e798ea4cba7cd703b

SHA1
02a4194bcb00d8e8ac3de7c08c33f830fa0ff369

SHA256
fa8354f78548cabe11498ddb781c24449ba4c2117751f66b696ffe5693f8dd58

SHA512
7315fa92fe372f68538d10c0261919bb5b8fafb8dffb8d34313f13ebcb1c24ddbd2602b0f085c47283a4fd295b76b22ee0aaf3ed71a2807080ef27c75ea7e0c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58b188.TMP

Filesize
371B

MD5
5badaf08f5a2d91601cf7e458339a4ab

SHA1
df07c4a9a85a12de11e3c18ee776d36837c156ff

SHA256
a17b22c9a79db3a86af6bae616a6b7eabd85a6987f8a1d60a37a3111a1b26c92

SHA512
09297ac7ea3932f9bb6a2f8909055669fa501523d660d4916cfcea22af4ab5332cdc2f95eb7d3ae0bd1e4c5e0e541cab8fd54f4309d2161c744760149fc778fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
55046b2a35d75026b2fe169901c8ded6

SHA1
9d8644618911479e6f37f333b4a9ef3d5d300aa0

SHA256
70b062f495b733e651ed21c1d44683f271077fbf381073b2bfa6034085bccf44

SHA512
273a30214e4f109c7958cb2001af16b3465a0a74f8c4a038eeaad1847be9d738bb3ea7ebc8a00fc659a3d799a6b82133dc98d822d6f212b782e7d8815daa6e2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d7b3add2798e1e120a18a5f4ee21c271

SHA1
7b73ef72f554d49b51c1c3c5b0c1a39e24c1a607

SHA256
205215692ab11e7819d1e6afa5dd183d31d6e51e36ac9e508cae490f55e87f62

SHA512
2a1fdaf081fa03b7d89ab885253efcbdb5168e6b4e886630903f51d3034c9aac7ec8748a67afa95fd1547b30d6dc16e620ea410c0ee8ab3c1535fd1a8527cee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zhmhgojr.hla.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Graias\graias.exe

Filesize
962KB

MD5
4a9440baa61be8363a372b0bbc5933ad

SHA1
9aa5380dc87829c6fa22e9029cadcab9f6221ef9

SHA256
51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c

SHA512
648bd4434ce14e15c3faba25945525fffec6dad028e8fe26982d70096ccd448ca6e114e10739b1e990ea65970db97897713b8054450f1cd98c9aacb596436b0c

Download Submit
memory/220-240-0x0000000001200000-0x00000000012F8000-memory.dmp

Filesize
992KB

Download
memory/1156-157-0x0000000007C00000-0x0000000007CA3000-memory.dmp

Filesize
652KB

Download
memory/1156-158-0x0000000007F30000-0x0000000007F41000-memory.dmp

Filesize
68KB

Download
memory/1156-144-0x0000000006420000-0x0000000006774000-memory.dmp

Filesize
3.3MB

Download
memory/1156-146-0x0000000006A20000-0x0000000006A6C000-memory.dmp

Filesize
304KB

Download
memory/1156-147-0x000000006F290000-0x000000006F2DC000-memory.dmp

Filesize
304KB

Download
memory/1156-159-0x0000000007F80000-0x0000000007F94000-memory.dmp

Filesize
80KB

Download
memory/1288-15-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1288-14-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1288-12-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1288-11-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1288-93-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1904-738-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1904-773-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1904-642-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1904-511-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1904-500-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1904-127-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1904-131-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1904-643-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1904-125-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1904-405-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1904-281-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1904-282-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1904-404-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/1904-132-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2052-82-0x0000000005990000-0x0000000005CE4000-memory.dmp

Filesize
3.3MB

Download
memory/2052-114-0x00000000075B0000-0x0000000007646000-memory.dmp

Filesize
600KB

Download
memory/2052-98-0x0000000006FD0000-0x0000000007002000-memory.dmp

Filesize
200KB

Download
memory/2052-122-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/2052-119-0x0000000007650000-0x0000000007658000-memory.dmp

Filesize
32KB

Download
memory/2052-95-0x00000000060A0000-0x00000000060EC000-memory.dmp

Filesize
304KB

Download
memory/2052-92-0x0000000006020000-0x000000000603E000-memory.dmp

Filesize
120KB

Download
memory/2052-109-0x00000000065C0000-0x00000000065DE000-memory.dmp

Filesize
120KB

Download
memory/2052-110-0x0000000007010000-0x00000000070B3000-memory.dmp

Filesize
652KB

Download
memory/2052-72-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/2052-118-0x0000000007670000-0x000000000768A000-memory.dmp

Filesize
104KB

Download
memory/2052-71-0x00000000050F0000-0x0000000005156000-memory.dmp

Filesize
408KB

Download
memory/2052-70-0x0000000005050000-0x0000000005072000-memory.dmp

Filesize
136KB

Download
memory/2052-111-0x0000000007980000-0x0000000007FFA000-memory.dmp

Filesize
6.5MB

Download
memory/2052-112-0x0000000007330000-0x000000000734A000-memory.dmp

Filesize
104KB

Download
memory/2052-117-0x0000000007570000-0x0000000007584000-memory.dmp

Filesize
80KB

Download
memory/2052-20-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/2052-18-0x0000000002700000-0x0000000002736000-memory.dmp

Filesize
216KB

Download
memory/2052-21-0x0000000005170000-0x0000000005798000-memory.dmp

Filesize
6.2MB

Download
memory/2052-19-0x000000007539E000-0x000000007539F000-memory.dmp

Filesize
4KB

Download
memory/2052-113-0x00000000073A0000-0x00000000073AA000-memory.dmp

Filesize
40KB

Download
memory/2052-99-0x000000006FE40000-0x000000006FE8C000-memory.dmp

Filesize
304KB

Download
memory/2052-115-0x0000000007530000-0x0000000007541000-memory.dmp

Filesize
68KB

Download
memory/2052-116-0x0000000007560000-0x000000000756E000-memory.dmp

Filesize
56KB

Download
memory/2852-96-0x0000000005DF0000-0x0000000005E04000-memory.dmp

Filesize
80KB

Download
memory/3284-3-0x0000000005B10000-0x0000000005BA2000-memory.dmp

Filesize
584KB

Download
memory/3284-0-0x000000007539E000-0x000000007539F000-memory.dmp

Filesize
4KB

Download
memory/3284-1-0x0000000000FB0000-0x00000000010A8000-memory.dmp

Filesize
992KB

Download
memory/3284-2-0x0000000006020000-0x00000000065C4000-memory.dmp

Filesize
5.6MB

Download
memory/3284-97-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/3284-7-0x0000000005D80000-0x0000000005D94000-memory.dmp

Filesize
80KB

Download
memory/3284-5-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/3284-6-0x0000000005D90000-0x0000000005E2C000-memory.dmp

Filesize
624KB

Download
memory/3284-8-0x000000007539E000-0x000000007539F000-memory.dmp

Filesize
4KB

Download
memory/3284-4-0x0000000005AA0000-0x0000000005AAA000-memory.dmp

Filesize
40KB

Download
memory/3284-9-0x0000000075390000-0x0000000075B40000-memory.dmp

Filesize
7.7MB

Download
memory/3284-10-0x0000000007440000-0x0000000007504000-memory.dmp

Filesize
784KB

Download
memory/4580-344-0x0000000000800000-0x00000000008F8000-memory.dmp

Filesize
992KB

Download
memory/4596-134-0x0000000000CB0000-0x0000000000DA8000-memory.dmp

Filesize
992KB

Download
memory/5144-739-0x00000000008B0000-0x00000000009A8000-memory.dmp

Filesize
992KB

Download
memory/5724-544-0x00000000006E0000-0x00000000007D8000-memory.dmp

Filesize
992KB

Download
memory/5820-439-0x0000000000E00000-0x0000000000EF8000-memory.dmp

Filesize
992KB

Download