remcos | 51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 22:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
Size

962KB
MD5

4a9440baa61be8363a372b0bbc5933ad
SHA1

9aa5380dc87829c6fa22e9029cadcab9f6221ef9
SHA256

51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c
SHA512

648bd4434ce14e15c3faba25945525fffec6dad028e8fe26982d70096ccd448ca6e114e10739b1e990ea65970db97897713b8054450f1cd98c9aacb596436b0c
SSDEEP

24576:fdFeteG2H+FLBvmhCWWmLiUZklZGIo/KCrB:FA9w+bvmhCWWpUZkbDo5rB

Score

10^/10

remcos graias discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Graias

185.234.72.215:4444

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
graias.exe
copy_folder
Graias
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
graias
mouse_option
false
mutex
Rmc-O844B9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2276	powershell.exe
4264	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	graias.exe

Executes dropped EXE 2 IoCs

pid	Process
2796	graias.exe
4780	graias.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-O844B9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Graias\\graias.exe\""	graias.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-O844B9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Graias\\graias.exe\""	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 5084 set thread context of 2836	5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	90
PID 2796 set thread context of 4780	2796	graias.exe	101
PID 4780 set thread context of 3176	4780	graias.exe	102
PID 4780 set thread context of 2600	4780	graias.exe	128
PID 4780 set thread context of 5248	4780	graias.exe	137
PID 4780 set thread context of 3756	4780	graias.exe	146
PID 4780 set thread context of 2556	4780	graias.exe	155
PID 4780 set thread context of 5296	4780	graias.exe	164
PID 4780 set thread context of 4952	4780	graias.exe	173

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2016	5084	WerFault.exe	81
4304	2796	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	graias.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	graias.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
2276	powershell.exe
2276	powershell.exe
4264	powershell.exe
4264	powershell.exe
1728	msedge.exe
1728	msedge.exe
3880	msedge.exe
3880	msedge.exe
3884	identity_helper.exe
3884	identity_helper.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
4780	graias.exe
4780	graias.exe
4780	graias.exe
4780	graias.exe
4780	graias.exe
4780	graias.exe
4780	graias.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

pid	Process
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	4264	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe
3880	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4780	graias.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 2276	5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	86
PID 5084 wrote to memory of 2276	5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	86
PID 5084 wrote to memory of 2276	5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	86
PID 5084 wrote to memory of 2152	5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	88
PID 5084 wrote to memory of 2152	5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	88
PID 5084 wrote to memory of 2152	5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	88
PID 5084 wrote to memory of 116	5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	89
PID 5084 wrote to memory of 116	5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	89
PID 5084 wrote to memory of 116	5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	89
PID 5084 wrote to memory of 2836	5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	90
PID 5084 wrote to memory of 2836	5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	90
PID 5084 wrote to memory of 2836	5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	90
PID 5084 wrote to memory of 2836	5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	90
PID 5084 wrote to memory of 2836	5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	90
PID 5084 wrote to memory of 2836	5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	90
PID 5084 wrote to memory of 2836	5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	90
PID 5084 wrote to memory of 2836	5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	90
PID 5084 wrote to memory of 2836	5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	90
PID 5084 wrote to memory of 2836	5084	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	90
PID 2836 wrote to memory of 2796	2836	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	94
PID 2836 wrote to memory of 2796	2836	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	94
PID 2836 wrote to memory of 2796	2836	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	94
PID 2796 wrote to memory of 4264	2796	graias.exe	99
PID 2796 wrote to memory of 4264	2796	graias.exe	99
PID 2796 wrote to memory of 4264	2796	graias.exe	99
PID 2796 wrote to memory of 4780	2796	graias.exe	101
PID 2796 wrote to memory of 4780	2796	graias.exe	101
PID 2796 wrote to memory of 4780	2796	graias.exe	101
PID 2796 wrote to memory of 4780	2796	graias.exe	101
PID 2796 wrote to memory of 4780	2796	graias.exe	101
PID 2796 wrote to memory of 4780	2796	graias.exe	101
PID 2796 wrote to memory of 4780	2796	graias.exe	101
PID 2796 wrote to memory of 4780	2796	graias.exe	101
PID 2796 wrote to memory of 4780	2796	graias.exe	101
PID 2796 wrote to memory of 4780	2796	graias.exe	101
PID 4780 wrote to memory of 3176	4780	graias.exe	102
PID 4780 wrote to memory of 3176	4780	graias.exe	102
PID 4780 wrote to memory of 3176	4780	graias.exe	102
PID 4780 wrote to memory of 3176	4780	graias.exe	102
PID 3176 wrote to memory of 3880	3176	svchost.exe	106
PID 3176 wrote to memory of 3880	3176	svchost.exe	106
PID 3880 wrote to memory of 3936	3880	msedge.exe	107
PID 3880 wrote to memory of 3936	3880	msedge.exe	107
PID 3880 wrote to memory of 2416	3880	msedge.exe	108
PID 3880 wrote to memory of 2416	3880	msedge.exe	108
PID 3880 wrote to memory of 2416	3880	msedge.exe	108
PID 3880 wrote to memory of 2416	3880	msedge.exe	108
PID 3880 wrote to memory of 2416	3880	msedge.exe	108
PID 3880 wrote to memory of 2416	3880	msedge.exe	108
PID 3880 wrote to memory of 2416	3880	msedge.exe	108
PID 3880 wrote to memory of 2416	3880	msedge.exe	108
PID 3880 wrote to memory of 2416	3880	msedge.exe	108
PID 3880 wrote to memory of 2416	3880	msedge.exe	108
PID 3880 wrote to memory of 2416	3880	msedge.exe	108
PID 3880 wrote to memory of 2416	3880	msedge.exe	108
PID 3880 wrote to memory of 2416	3880	msedge.exe	108
PID 3880 wrote to memory of 2416	3880	msedge.exe	108
PID 3880 wrote to memory of 2416	3880	msedge.exe	108
PID 3880 wrote to memory of 2416	3880	msedge.exe	108
PID 3880 wrote to memory of 2416	3880	msedge.exe	108
PID 3880 wrote to memory of 2416	3880	msedge.exe	108
PID 3880 wrote to memory of 2416	3880	msedge.exe	108
PID 3880 wrote to memory of 2416	3880	msedge.exe	108
PID 3880 wrote to memory of 2416	3880	msedge.exe	108

C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
"C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
  "C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe"
  2⤵
  PID:2152
- C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
  "C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe"
  2⤵
  PID:116
- C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
  "C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Roaming\Graias\graias.exe
    "C:\Users\Admin\AppData\Roaming\Graias\graias.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Graias\graias.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4264
  - - C:\Users\Admin\AppData\Roaming\Graias\graias.exe
      "C:\Users\Admin\AppData\Roaming\Graias\graias.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3176
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffebc5846f8,0x7ffebc584708,0x7ffebc584718
        7⤵
        
        PID:3936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        7⤵
        
        PID:2416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:8
        7⤵
        
        PID:1128
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
        7⤵
        
        PID:2864
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
        7⤵
        
        PID:2408
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
        7⤵
        
        PID:4972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
        7⤵
        
        PID:2220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5408 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3884
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
        7⤵
        
        PID:224
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
        7⤵
        
        PID:4596
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
        7⤵
        
        PID:5028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
        7⤵
        
        PID:4448
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
        7⤵
        
        PID:2096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
        7⤵
        
        PID:4792
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
        7⤵
        
        PID:4124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
        7⤵
        
        PID:2112
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
        7⤵
        
        PID:5316
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
        7⤵
        
        PID:5404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1756 /prefetch:1
        7⤵
        
        PID:5872
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
        7⤵
        
        PID:5960
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
        7⤵
        
        PID:1708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3096 /prefetch:1
        7⤵
        
        PID:932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
        7⤵
        
        PID:796
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
        7⤵
        
        PID:4956
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
        7⤵
        
        PID:3508
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
        7⤵
        
        PID:5196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
        7⤵
        
        PID:2504
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:1
        7⤵
        
        PID:5984
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:1
        7⤵
        
        PID:5776
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
        7⤵
        
        PID:1936
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
        7⤵
        
        PID:2856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6796 /prefetch:1
        7⤵
        
        PID:1612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:1
        7⤵
        
        PID:1748
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,758904243452453304,12481614893070313094,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7308 /prefetch:1
        7⤵
        
        PID:3196
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:4924
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffebc5846f8,0x7ffebc584708,0x7ffebc584718
        7⤵
        
        PID:4512
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:3352
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffebc5846f8,0x7ffebc584708,0x7ffebc584718
        7⤵
        
        PID:5096
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5216
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffebc5846f8,0x7ffebc584708,0x7ffebc584718
        7⤵
        
        PID:5232
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5248
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5804
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffebc5846f8,0x7ffebc584708,0x7ffebc584718
        7⤵
        
        PID:5816
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:3580
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffebc5846f8,0x7ffebc584708,0x7ffebc584718
        7⤵
        
        PID:4972
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3756
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:2700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffebc5846f8,0x7ffebc584708,0x7ffebc584718
        7⤵
        
        PID:1724
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:2744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffebc5846f8,0x7ffebc584708,0x7ffebc584718
        7⤵
        
        PID:4992
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffebc5846f8,0x7ffebc584708,0x7ffebc584718
        7⤵
        
        PID:4900
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:3240
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffebc5846f8,0x7ffebc584708,0x7ffebc584718
        7⤵
        
        PID:5300
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5296
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:6052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffebc5846f8,0x7ffebc584708,0x7ffebc584718
        7⤵
        
        PID:6124
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5344
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffebc5846f8,0x7ffebc584708,0x7ffebc584718
        7⤵
        
        PID:3056
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4952
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2796 -s 1408
      4⤵
      Program crash
      PID:4304
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 1160
  2⤵
  - Program crash
  PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5084 -ip 5084
1⤵
PID:324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2796 -ip 2796
1⤵
PID:2604

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
68KB

MD5
0cccccd82d68d5ff076e1bd047436ec8

SHA1
0b9d6ebef9ac1c03f8138e9fc9203f9cd69d2a73

SHA256
0e9d24e58133fdae2fe766ece9358afdc57da1568485bf36182851b6c1291246

SHA512
84c357d75e1b7c25249ef826bf5ea9ef4445f2d4f985ae7128363421ac28f1cf438256cb40cdfd2fcf9ad439900dfc7796f9ab850e0445dbbfab5c23f29575eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
487KB

MD5
831a0aa25af2c60a7380ea75c321d930

SHA1
140ec306c24ab6f348c4dde5900b219d817e2026

SHA256
8cdde5daa52335c0a4e416f6fc22aa80744207a38fc276bd65341c2d2e903557

SHA512
0147937b2b2cf9bbf7e8dbee2d598e156c6ce4ddff224b3dc48caed96e89038ecdff1ace743b82fdf6155c40b674f4b1983693dbe45c39898487d3b7be258161

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
79KB

MD5
e51f388b62281af5b4a9193cce419941

SHA1
364f3d737462b7fd063107fe2c580fdb9781a45a

SHA256
348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c

SHA512
1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
34KB

MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
17KB

MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
89KB

MD5
6c66566329b8f1f2a69392a74e726d4c

SHA1
7609ceb7d28c601a8d7279c8b5921742a64d28ce

SHA256
f512f4fb0d4855fc4aa78e26516e9ec1cfabc423a353cd01bc68ee6098dc56d6

SHA512
aca511bfaf9b464aff7b14998f06a7e997e22fcbe7728401a1e4bd7e4eceb8c938bbd820a16d471d0b5a0589d8807b426b97292fc2a28578a62e4681185556c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
259KB

MD5
34504ed4414852e907ecc19528c2a9f0

SHA1
0694ca8841b146adcaf21c84dedc1b14e0a70646

SHA256
c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810

SHA512
173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
19KB

MD5
4d0bfea9ebda0657cee433600ed087b6

SHA1
f13c690b170d5ba6be45dedc576776ca79718d98

SHA256
67e7d8e61b9984289b6f3f476bbeb6ceb955bec823243263cf1ee57d7db7ae9a

SHA512
9136adec32f1d29a72a486b4604309aa8f9611663fa1e8d49079b67260b2b09cefdc3852cf5c08ca9f5d8ea718a16dbd8d8120ac3164b0d1519d8ef8a19e4ea5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
62KB

MD5
8ccb0248b7f2abeead74c057232df42a

SHA1
c02bd92fea2df7ed12c8013b161670b39e1ec52f

SHA256
0a9fd0c7f32eabbb2834854c655b958ec72a321f3c1cf50035dd87816591cdcc

SHA512
6d6e3c858886c9d6186ad13b94dbc2d67918aa477fb7d70a7140223fab435cf109537c51ca7f4b2a0db00eead806bbe8c6b29b947b0be7044358d2823f5057ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\1bad42f73e78cf96_0

Filesize
295KB

MD5
a1cbd00d9e8adbf161b7f1df4c8163f3

SHA1
2c4def11acfac640c2d569e4817d5e2f8691a158

SHA256
bb080df268f28fbf438cd612a63122a6d7d0d9f49486827b146c268299b19c02

SHA512
b872504094a007bdd99890dd20b29d0088b15c720bc1dff1c885fe52fa151289d01454945b49cbe359c7c3952374627c7353ff70e3feb2ce79590c20ce27c705

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\26f1a435530e3442_0

Filesize
1KB

MD5
00fb1c8cb83ad546a5f36cbc33e7650c

SHA1
b80879367d5fbc1d83d873f55540e88d5dcdf5a0

SHA256
ab94c0b0d9026aecaa28bc8d604637454dafb17653a76c28471ada5c23d15103

SHA512
cb39c836dbb7e6cafc4cc2876de2930e7f6f09f7cef73993d1e3c24c82317be0dec69586cd534897b7b0cc74b31442129a363228ac5f511f59af642a2b15fb83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\315786764d1e7149_0

Filesize
1.3MB

MD5
f9f2378b71bcfba219a14acc67d862c7

SHA1
e14f74a5666de47f490191ef0d676dea8dceebad

SHA256
6c7e738306063cc9e378040d8907d5bf466c7f2fe0ce5651ac5d75a4c074e39e

SHA512
163468f9ccf5125affece769cbd5d1d687cff696fd8d0d52daf381ae3412423918a264791b63a5861a2b4ed94e10198b6ffe28efcbb9ffb751f46d8117c4ed60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3ab592dde6ff023e_0

Filesize
272B

MD5
5782e09cf93cc9f589b470ecc384599e

SHA1
26cf9ff59920c1d561a64a6819291fe70a2cb7ce

SHA256
97b9c5107da3c3c12afbea0f13022c8a6ed5e225451c4f0e3c982fe8f0bf95f9

SHA512
30df0136058b472d24bfcb1c78e1db40ca22f66a281515b75b6a7764bff7b040dd01388ff01a48f58ee2ecad97edf9f8202ab82ac2935484ea430760059a2d96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4b880c9454adc61b_0

Filesize
1.2MB

MD5
cfabdca3bfaa75db602a45910aae465b

SHA1
e0a5825a97627091fd14c967e3a807c33f3db012

SHA256
9d9a9fbd22fbce14f602f35a2bcfb6a530276eeff2bcdf1665d9477835a49987

SHA512
dbd69b5c936eb1a0e44e764cae883ecf4d93a64670ec2911d7ae133fdc839c0a657b68e42bab89d65176b31bbc1666b42c768044faa26a4f2d1d9f0998f0035d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\67c896e8aae559d2_0

Filesize
291B

MD5
42d384cb298da35dfa01bfe845265292

SHA1
c44d46b372b90c238cba7de1474a05b169ddcff2

SHA256
9d200adaab477f36a1c44c11d9b15fba0b5f0ccfbefdbb8a0a30b7ab13d72c3c

SHA512
b8b8d8dcbd9e0c607725d758e5614d728e1291c164e55c81b91ca95b66c9175f313f95280b6816d2307f63724eb7b05a59d0c311580c10f3973c99e2f065497f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ad853988f10d0eb4_0

Filesize
188KB

MD5
ec0adce41d85b271c915d6ac04301039

SHA1
3d8df01e572181a085105f7c19e58e07245369f4

SHA256
0971c32d080258db4a4b480add5123403015b54f8d6c988949ddbbc662ae0e82

SHA512
823576636fa40505da1b65cf010c145f8304d34c606b5a443eba225c825f5448c0aa2c97f121eaeff9db9c8536569e63ea667de1ded0157ebd61aa0989bf952f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e91da4b52bb26ef3_0

Filesize
297B

MD5
0e444f129aafca8f9facf43f1915e2c0

SHA1
58d46be5731097fc98e096744a13c19b20e4e99f

SHA256
94ca361a878a96ca7ff5426a6f937bdc457531a4357498c04df51732099c208b

SHA512
536f30a45ca1fa7f6dd6cd9e3f0f976c60d317ad6204569825dac42e9e95b220360f016fd84c2ed24403559d29d28106061eb8b0e751a19900c6660f7e8c8807

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f29ed5b5251e1eaf_0

Filesize
269B

MD5
105eb392866121e8bae3721c3177ee53

SHA1
1ee2381fdba98bab0c3c8b0cd5d9956932e467e9

SHA256
a3df80dc5dda7922fce3175e095e9bb229f7db5c7451f0298e3699bd3ddc1635

SHA512
d507beb9b240bc35043bb274ef248968c0a6474c183fc65b6d72c89ea80b11e1463948aec34d07a89e515dd6b655f01b4163b4e76d030900434f2c0c9d6ae90a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
96ae9e4bd74023ee5df48dd32feb551f

SHA1
2fff9707ee847f6c94d8f48b45a133eaeda28d71

SHA256
2582a79801dd51235e15b661288e4ad1def8755a29f856735d9126b09154fdac

SHA512
7c491f10820a14710fc2ad5aed54f99feb295369172949027e699859e70a9509b2e7cba92c9c991790a6bf766eafd61354e3590300d13fafc6f2ad7f8497e8e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a1a171e789eb0c81556f7f26034e23ff

SHA1
abb4fe35f99e6d382600a246620f64146fd15743

SHA256
2e414f850a4561f954b0add747d929212243c225612acc32c255da428f857f7e

SHA512
d97f7110437cd747960404ee83ac13f1bc4c177416398090791ff9fbdd490cd6ebe8a42cb27ba8ae828019acff6c1674773efc53bcfd7d8372f500d24f4dfdf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
796f30d174bb4fa27b40efc0255ef361

SHA1
005c63ef1bbbf73bbe28fc5ec32d64e588e79758

SHA256
b552a8fe93f1da9b2b0b555ee672e768ac5e133f05eb2580b9ad710f12d96fb9

SHA512
759ebee81f1b7051c36ca1bda1d613e5d029beb1c2c27d310ec8422aa1378db1a491a0df3616c78ffc9ff41738f22a4840c786883c22c225cbb07a79d9454991

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e2bf905f61635f6e25c961a0907a7c05

SHA1
f0ae66515773184a6321be9c108896a4bb400dfd

SHA256
811b1a5d82626c8416c30d81ac5f118eea1359924223ecd6f1421c91af375f8c

SHA512
226c3988aa444bfd940a5a8057d829970882b329db27fe223eade6a687539ef3f8131b7760ffbc59b586b934ef74a59177ed3bb3017d23d09a30f093a395c655

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8502e581eee1684996be3ec7d2fc4b28

SHA1
4c69836d409b437108a4be3aca0787fcad767ec5

SHA256
969338133759d6155b1253922f921cd76ebfad323a096798777914744ce16b02

SHA512
254486c382d895407f704ca62094307c407485e59ba118584ce29da55efa0d1395309fa15b0ea7bbe70293cecca1ad060dd6c333952ed4bfb50dac48bc3483c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5614160296d2b47799a4336dcb9f3371

SHA1
29509041756667befb075bfa8328e6c61a0eeaa4

SHA256
fc85db455b37fdfbd9d5911a8b9a68155b7b9f509ce6b0a804bc2d1e79530e7d

SHA512
d085c8d352920e9521d7993736696cf050868b02b338a333b1137c17039466d981ccc85385adc8e1ab9ef8091abd589481567a88305a10a2fbfcaceee4759197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
af529b83a99ead8f38b57fcb70224dbc

SHA1
e38b1506c15ccff33a269f6c205ac959b78ac486

SHA256
dd4bb81ff132686ddb0439d933051c469981532ccb66a0c6b943f17b8f7fb0a8

SHA512
b98db510e66cd44ec3c2a8325395cc82889b25b59dce8d5f4b9a7a54490309e94ba8e7578e88e15bf1ae068b836c980e97623432cf785f52c48c0b5f499d86fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
743e26b5e7b469ec63d47e6a114de960

SHA1
f2430598c1e3b20afaa1359ef431c0b0828d6f0e

SHA256
50a0a2532e79f3fd62198644ab6217120b85d8f470c146fb30743fb711732aa0

SHA512
1c41855e29252ebe01402f1aa47dc449e58c5703f0d4138b56031eafc7697091ba971f395c9555fc1c1b49795348236863a805f1bd499dc1a8de56a758bb6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
da9001820690cdaebf5c0139cce66155

SHA1
1715e8e7597d7a46d78cd46d8081c2b5910d98e5

SHA256
72585eb51fc79221c1afe457ed32626d0a64c8accaca2d839623dd302d9e237a

SHA512
c855f1d12d4fdc248e15826799027d40da34d7cd6240614f1703559ef98b5dc81a7820a00e1d44c5526ad02cd5e129001bf375b96676fedbd215a4f8bd88c4ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
14ead674baa20ec9c4e28a1d10d23b99

SHA1
423c76b455f3b20c6012f53083b12a2b52c09618

SHA256
2aa6403b59773c4f875ef307b5fdf1e3ea3685c21ed383eaaee9b43f15ee98f9

SHA512
25d8bc04dcd216045034e83f782539e407be8e952228526590fd0236fe9964288f06afc7ea637a6840026eb75717fc025690202dd5829634ec64a1eaf4e76988

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
137e907d46af919cfe5fb3b94039bf29

SHA1
b7b5ef363128011f8994ee4a01d98a97f7e659c4

SHA256
1c32bf28d8912f6b851f47dc4003f62347b2db110a80f8a8788b6bdcc9474b2a

SHA512
ce3d1f17de02c964f5be6f602293d6bf4f1c791d720e59a917f8fbbd79ded61a3b657f33e1f85979aa3d68b34de7cad20af9bab86f9863e706e776ca4b72744e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
c5205409c865c6b1fb2059adea806bfb

SHA1
61cd8d0c275e0dee93e27dd06d8b74d6dfbaefd8

SHA256
ef7497593407702278c96ed5273d0bf36b677e62f0626ecf6edd139b62e14012

SHA512
ff01e5cf2ef4676a20064f955950bd2f76d099f1a0360bead39ca141dd7b9dc743b2efb1f02cbf97a53c714ac91d3bd0ec09d9629e94d9c3e45ead4d347098ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
7ded2f7298be53c85351da82db44bb94

SHA1
b5f2802d10b057229eafcf8b250f56a35f1b695c

SHA256
89c7d97991e9b9b339cedae4fa43efe46067eb5c1808839901d4ce8cfae0b92c

SHA512
ef7df6c977bbe75479f618a092f139c6e5f28e9480575e407d1b65bf61c0f28b8321003c2d7c8344778797ce29b2cf179a5de1fbef25d422cb0b4136c1e7f90e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
37876f7a7cb7ac90f27fc43dedeb70ec

SHA1
bbace953f8bc169fbb5d2cc3b65a807591b72357

SHA256
d70f1c9fb55158d06773b73e2f5547f4ed6873b8da65ddd0241f250a5d968549

SHA512
37943562ed991ff5c1c0387c00ac90c76eef9300022640218022615beb6de914ed8f1893fcc98cc75f924485c0d1b7c20022f44fcc678d5cfd16627bf65316ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5894b9.TMP

Filesize
371B

MD5
25da31d626f6f24c03997143c7452a05

SHA1
c859b395dab0fcdadfd29645b4a8a4358aa1e863

SHA256
7fd58ef63ba347bcde5300ec38a106b712e4acb74a1d5736b6ef499974878d93

SHA512
95072dec7dc747f6b2aa688f3d4406757a0877bd9800b51761eff01d394e4801fe6631cfcf2d2b7a8b4b13e5e51a13a20b0a86ae9de40ae14566f1d3a0bed92f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
802620b416af1cb10b0e0db583dc3b4a

SHA1
62d596b50e0caac959a7ba55d20524d45549fb22

SHA256
16075b1662d9f6f5b4b9fe50ca9f748778f27c2eb454c257baa999f807500364

SHA512
8916e0498b315a81804be4182b4161997051c3f0aacf815641ca03d638f6893710a9f102acfb6c53b0837b783dd8ab096fd9a7b637bd33d0ce5992ed5d751a4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
408cd36eb88759cec915eb14cb05c101

SHA1
e89fd723a8fec814df782807a09dacb5e219a65c

SHA256
d54d979184e54717a19565f857a52ebf257a104a594331233544d95eadcd7b2e

SHA512
d50657269fa29a74db64eaf5f4fd9b87931dfc6ca3ad919aae08e3e8fa55858f281e602de037b26aababe95b6fc6006649b90e103bf5e115f4e7cb9fb31a6d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wouxkl2x.ryo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Graias\graias.exe

Filesize
962KB

MD5
4a9440baa61be8363a372b0bbc5933ad

SHA1
9aa5380dc87829c6fa22e9029cadcab9f6221ef9

SHA256
51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c

SHA512
648bd4434ce14e15c3faba25945525fffec6dad028e8fe26982d70096ccd448ca6e114e10739b1e990ea65970db97897713b8054450f1cd98c9aacb596436b0c

Download Submit
memory/2276-21-0x0000000004E90000-0x00000000054B8000-memory.dmp

Filesize
6.2MB

Download
memory/2276-94-0x0000000005D30000-0x0000000005D4E000-memory.dmp

Filesize
120KB

Download
memory/2276-119-0x0000000007380000-0x0000000007388000-memory.dmp

Filesize
32KB

Download
memory/2276-118-0x00000000073A0000-0x00000000073BA000-memory.dmp

Filesize
104KB

Download
memory/2276-117-0x00000000072A0000-0x00000000072B4000-memory.dmp

Filesize
80KB

Download
memory/2276-116-0x0000000007290000-0x000000000729E000-memory.dmp

Filesize
56KB

Download
memory/2276-115-0x0000000007260000-0x0000000007271000-memory.dmp

Filesize
68KB

Download
memory/2276-114-0x00000000072E0000-0x0000000007376000-memory.dmp

Filesize
600KB

Download
memory/2276-113-0x00000000070E0000-0x00000000070EA000-memory.dmp

Filesize
40KB

Download
memory/2276-112-0x0000000007060000-0x000000000707A000-memory.dmp

Filesize
104KB

Download
memory/2276-111-0x00000000076B0000-0x0000000007D2A000-memory.dmp

Filesize
6.5MB

Download
memory/2276-110-0x0000000006F40000-0x0000000006FE3000-memory.dmp

Filesize
652KB

Download
memory/2276-109-0x00000000062F0000-0x000000000630E000-memory.dmp

Filesize
120KB

Download
memory/2276-98-0x0000000006310000-0x0000000006342000-memory.dmp

Filesize
200KB

Download
memory/2276-99-0x000000006FA50000-0x000000006FA9C000-memory.dmp

Filesize
304KB

Download
memory/2276-122-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/2276-96-0x0000000005D70000-0x0000000005DBC000-memory.dmp

Filesize
304KB

Download
memory/2276-19-0x0000000004770000-0x00000000047A6000-memory.dmp

Filesize
216KB

Download
memory/2276-83-0x0000000005860000-0x0000000005BB4000-memory.dmp

Filesize
3.3MB

Download
memory/2276-72-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/2276-18-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

Filesize
4KB

Download
memory/2276-78-0x00000000056F0000-0x0000000005756000-memory.dmp

Filesize
408KB

Download
memory/2276-71-0x00000000055E0000-0x0000000005602000-memory.dmp

Filesize
136KB

Download
memory/2276-22-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/2276-20-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/2556-544-0x00000000004C0000-0x00000000005B8000-memory.dmp

Filesize
992KB

Download
memory/2600-242-0x0000000000600000-0x00000000006F8000-memory.dmp

Filesize
992KB

Download
memory/2836-95-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2836-17-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2836-13-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2836-12-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2836-11-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4264-158-0x0000000007CA0000-0x0000000007CB1000-memory.dmp

Filesize
68KB

Download
memory/4264-157-0x00000000079B0000-0x0000000007A53000-memory.dmp

Filesize
652KB

Download
memory/4264-135-0x00000000060C0000-0x0000000006414000-memory.dmp

Filesize
3.3MB

Download
memory/4264-159-0x0000000007CE0000-0x0000000007CF4000-memory.dmp

Filesize
80KB

Download
memory/4264-146-0x00000000067A0000-0x00000000067EC000-memory.dmp

Filesize
304KB

Download
memory/4264-147-0x000000006ECF0000-0x000000006ED3C000-memory.dmp

Filesize
304KB

Download
memory/4780-643-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-509-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-404-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-744-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-281-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-127-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-132-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-130-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-125-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-738-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-282-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-642-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-508-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4780-405-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4952-740-0x0000000000460000-0x0000000000558000-memory.dmp

Filesize
992KB

Download
memory/5084-97-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/5084-6-0x0000000004F00000-0x0000000004F9C000-memory.dmp

Filesize
624KB

Download
memory/5084-5-0x0000000004CB0000-0x0000000004CBA000-memory.dmp

Filesize
40KB

Download
memory/5084-9-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/5084-10-0x0000000006580000-0x0000000006644000-memory.dmp

Filesize
784KB

Download
memory/5084-4-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/5084-3-0x0000000004C10000-0x0000000004CA2000-memory.dmp

Filesize
584KB

Download
memory/5084-8-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

Filesize
4KB

Download
memory/5084-7-0x0000000004FA0000-0x0000000004FB4000-memory.dmp

Filesize
80KB

Download
memory/5084-0-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

Filesize
4KB

Download
memory/5084-2-0x00000000050E0000-0x0000000005684000-memory.dmp

Filesize
5.6MB

Download
memory/5084-1-0x0000000000130000-0x0000000000228000-memory.dmp

Filesize
992KB

Download
memory/5296-644-0x0000000000670000-0x0000000000768000-memory.dmp

Filesize
992KB

Download