remcos | c8017f526793dd8b6b6e98bfa9847fcf3aa7c4096a8432719a8324e06ba8c088

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7caf240db905f259197cf71b03acf888.exe
Size

960KB
MD5

7caf240db905f259197cf71b03acf888
SHA1

d8d9726a0a67795a01fed368055d9315feada3fd
SHA256

c8017f526793dd8b6b6e98bfa9847fcf3aa7c4096a8432719a8324e06ba8c088
SHA512

1f9464e14d33bfab44dfc85486bea31126a26929e04eae1159e6ecc886aa79877ca29aa93e614512625000d153e090c06b3b2081f9cbc1e8997ad26e59097255
SSDEEP

24576:GzrpUdcKiEWIXZ4aQJkf1dedJNxkTeGnAoEe:cpKiEWIJ4aWkfjedxkTeGAo9

Score

10^/10

remcos graias discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Graias

185.234.72.215:4444

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
graias.exe
copy_folder
Graias
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
graias
mouse_option
false
mutex
Rmc-O844B9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
860	powershell.exe
4496	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	7caf240db905f259197cf71b03acf888.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	graias.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	7caf240db905f259197cf71b03acf888.exe

Executes dropped EXE 2 IoCs

pid	Process
4988	graias.exe
4580	graias.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-O844B9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Graias\\graias.exe\""	7caf240db905f259197cf71b03acf888.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-O844B9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Graias\\graias.exe\""	graias.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 2940 set thread context of 5088	2940	7caf240db905f259197cf71b03acf888.exe	99
PID 4988 set thread context of 4580	4988	graias.exe	105
PID 4580 set thread context of 4220	4580	graias.exe	106
PID 4580 set thread context of 3968	4580	graias.exe	133
PID 4580 set thread context of 5464	4580	graias.exe	142
PID 4580 set thread context of 3872	4580	graias.exe	152
PID 4580 set thread context of 3056	4580	graias.exe	161
PID 4580 set thread context of 5264	4580	graias.exe	170
PID 4580 set thread context of 4148	4580	graias.exe	178

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	graias.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	graias.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7caf240db905f259197cf71b03acf888.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7caf240db905f259197cf71b03acf888.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	7caf240db905f259197cf71b03acf888.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
860	powershell.exe
860	powershell.exe
4496	powershell.exe
4496	powershell.exe
3092	msedge.exe
3092	msedge.exe
964	msedge.exe
964	msedge.exe
4412	identity_helper.exe
4412	identity_helper.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
4580	graias.exe
4580	graias.exe
4580	graias.exe
4580	graias.exe
4580	graias.exe
4580	graias.exe
4580	graias.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

pid	Process
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	860	powershell.exe
Token: SeDebugPrivilege	4496	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4580	graias.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 860	2940	7caf240db905f259197cf71b03acf888.exe	97
PID 2940 wrote to memory of 860	2940	7caf240db905f259197cf71b03acf888.exe	97
PID 2940 wrote to memory of 860	2940	7caf240db905f259197cf71b03acf888.exe	97
PID 2940 wrote to memory of 5088	2940	7caf240db905f259197cf71b03acf888.exe	99
PID 2940 wrote to memory of 5088	2940	7caf240db905f259197cf71b03acf888.exe	99
PID 2940 wrote to memory of 5088	2940	7caf240db905f259197cf71b03acf888.exe	99
PID 2940 wrote to memory of 5088	2940	7caf240db905f259197cf71b03acf888.exe	99
PID 2940 wrote to memory of 5088	2940	7caf240db905f259197cf71b03acf888.exe	99
PID 2940 wrote to memory of 5088	2940	7caf240db905f259197cf71b03acf888.exe	99
PID 2940 wrote to memory of 5088	2940	7caf240db905f259197cf71b03acf888.exe	99
PID 2940 wrote to memory of 5088	2940	7caf240db905f259197cf71b03acf888.exe	99
PID 2940 wrote to memory of 5088	2940	7caf240db905f259197cf71b03acf888.exe	99
PID 2940 wrote to memory of 5088	2940	7caf240db905f259197cf71b03acf888.exe	99
PID 5088 wrote to memory of 4988	5088	7caf240db905f259197cf71b03acf888.exe	100
PID 5088 wrote to memory of 4988	5088	7caf240db905f259197cf71b03acf888.exe	100
PID 5088 wrote to memory of 4988	5088	7caf240db905f259197cf71b03acf888.exe	100
PID 4988 wrote to memory of 4496	4988	graias.exe	103
PID 4988 wrote to memory of 4496	4988	graias.exe	103
PID 4988 wrote to memory of 4496	4988	graias.exe	103
PID 4988 wrote to memory of 4580	4988	graias.exe	105
PID 4988 wrote to memory of 4580	4988	graias.exe	105
PID 4988 wrote to memory of 4580	4988	graias.exe	105
PID 4988 wrote to memory of 4580	4988	graias.exe	105
PID 4988 wrote to memory of 4580	4988	graias.exe	105
PID 4988 wrote to memory of 4580	4988	graias.exe	105
PID 4988 wrote to memory of 4580	4988	graias.exe	105
PID 4988 wrote to memory of 4580	4988	graias.exe	105
PID 4988 wrote to memory of 4580	4988	graias.exe	105
PID 4988 wrote to memory of 4580	4988	graias.exe	105
PID 4580 wrote to memory of 4220	4580	graias.exe	106
PID 4580 wrote to memory of 4220	4580	graias.exe	106
PID 4580 wrote to memory of 4220	4580	graias.exe	106
PID 4580 wrote to memory of 4220	4580	graias.exe	106
PID 4220 wrote to memory of 964	4220	svchost.exe	108
PID 4220 wrote to memory of 964	4220	svchost.exe	108
PID 964 wrote to memory of 1676	964	msedge.exe	109
PID 964 wrote to memory of 1676	964	msedge.exe	109
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110
PID 964 wrote to memory of 2152	964	msedge.exe	110

C:\Users\Admin\AppData\Local\Temp\7caf240db905f259197cf71b03acf888.exe
"C:\Users\Admin\AppData\Local\Temp\7caf240db905f259197cf71b03acf888.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7caf240db905f259197cf71b03acf888.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- C:\Users\Admin\AppData\Local\Temp\7caf240db905f259197cf71b03acf888.exe
  "C:\Users\Admin\AppData\Local\Temp\7caf240db905f259197cf71b03acf888.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Users\Admin\AppData\Roaming\Graias\graias.exe
    "C:\Users\Admin\AppData\Roaming\Graias\graias.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Graias\graias.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4496
  - - C:\Users\Admin\AppData\Roaming\Graias\graias.exe
      "C:\Users\Admin\AppData\Roaming\Graias\graias.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4580
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4220
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8db1546f8,0x7ff8db154708,0x7ff8db154718
        7⤵
        
        PID:1676
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
        7⤵
        
        PID:2152
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3092
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
        7⤵
        
        PID:1716
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
        7⤵
        
        PID:4828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
        7⤵
        
        PID:3280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
        7⤵
        
        PID:1832
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 /prefetch:8
        7⤵
        
        PID:4060
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4412
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
        7⤵
        
        PID:728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
        7⤵
        
        PID:3904
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
        7⤵
        
        PID:3280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
        7⤵
        
        PID:4116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
        7⤵
        
        PID:2652
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
        7⤵
        
        PID:5064
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
        7⤵
        
        PID:4036
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
        7⤵
        
        PID:4180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
        7⤵
        
        PID:5532
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2456 /prefetch:1
        7⤵
        
        PID:5612
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=640 /prefetch:1
        7⤵
        
        PID:5932
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
        7⤵
        
        PID:6028
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
        7⤵
        
        PID:2512
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
        7⤵
        
        PID:4020
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
        7⤵
        
        PID:5744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
        7⤵
        
        PID:3840
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
        7⤵
        
        PID:1440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
        7⤵
        
        PID:5440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
        7⤵
        
        PID:2424
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
        7⤵
        
        PID:5728
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
        7⤵
        
        PID:5768
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
        7⤵
        
        PID:4592
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
        7⤵
        
        PID:2376
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
        7⤵
        
        PID:5340
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7252 /prefetch:1
        7⤵
        
        PID:3912
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,16356792747187919002,1847796615181356700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7416 /prefetch:1
        7⤵
        
        PID:980
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:4540
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8db1546f8,0x7ff8db154708,0x7ff8db154718
        7⤵
        
        PID:448
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3968
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:4888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8db1546f8,0x7ff8db154708,0x7ff8db154718
        7⤵
        
        PID:2364
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5428
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8db1546f8,0x7ff8db154708,0x7ff8db154718
        7⤵
        
        PID:5448
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5464
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5868
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8db1546f8,0x7ff8db154708,0x7ff8db154718
        7⤵
        
        PID:5880
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5360
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8db1546f8,0x7ff8db154708,0x7ff8db154718
        7⤵
        
        PID:5364
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3872
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:6080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8db1546f8,0x7ff8db154708,0x7ff8db154718
        7⤵
        
        PID:6100
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:2844
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8db1546f8,0x7ff8db154708,0x7ff8db154718
        7⤵
        
        PID:1984
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:1280
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8db1546f8,0x7ff8db154708,0x7ff8db154718
        7⤵
        
        PID:4536
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:2544
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8db1546f8,0x7ff8db154708,0x7ff8db154718
        7⤵
        
        PID:5228
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5264
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:1452
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8db1546f8,0x7ff8db154708,0x7ff8db154718
        7⤵
        
        PID:2276
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:1080
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8db1546f8,0x7ff8db154708,0x7ff8db154718
        7⤵
        
        PID:4184
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
68KB

MD5
0cccccd82d68d5ff076e1bd047436ec8

SHA1
0b9d6ebef9ac1c03f8138e9fc9203f9cd69d2a73

SHA256
0e9d24e58133fdae2fe766ece9358afdc57da1568485bf36182851b6c1291246

SHA512
84c357d75e1b7c25249ef826bf5ea9ef4445f2d4f985ae7128363421ac28f1cf438256cb40cdfd2fcf9ad439900dfc7796f9ab850e0445dbbfab5c23f29575eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
487KB

MD5
831a0aa25af2c60a7380ea75c321d930

SHA1
140ec306c24ab6f348c4dde5900b219d817e2026

SHA256
8cdde5daa52335c0a4e416f6fc22aa80744207a38fc276bd65341c2d2e903557

SHA512
0147937b2b2cf9bbf7e8dbee2d598e156c6ce4ddff224b3dc48caed96e89038ecdff1ace743b82fdf6155c40b674f4b1983693dbe45c39898487d3b7be258161

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
89KB

MD5
6c66566329b8f1f2a69392a74e726d4c

SHA1
7609ceb7d28c601a8d7279c8b5921742a64d28ce

SHA256
f512f4fb0d4855fc4aa78e26516e9ec1cfabc423a353cd01bc68ee6098dc56d6

SHA512
aca511bfaf9b464aff7b14998f06a7e997e22fcbe7728401a1e4bd7e4eceb8c938bbd820a16d471d0b5a0589d8807b426b97292fc2a28578a62e4681185556c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
79KB

MD5
e51f388b62281af5b4a9193cce419941

SHA1
364f3d737462b7fd063107fe2c580fdb9781a45a

SHA256
348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c

SHA512
1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
34KB

MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
17KB

MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
19KB

MD5
4d0bfea9ebda0657cee433600ed087b6

SHA1
f13c690b170d5ba6be45dedc576776ca79718d98

SHA256
67e7d8e61b9984289b6f3f476bbeb6ceb955bec823243263cf1ee57d7db7ae9a

SHA512
9136adec32f1d29a72a486b4604309aa8f9611663fa1e8d49079b67260b2b09cefdc3852cf5c08ca9f5d8ea718a16dbd8d8120ac3164b0d1519d8ef8a19e4ea5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
259KB

MD5
34504ed4414852e907ecc19528c2a9f0

SHA1
0694ca8841b146adcaf21c84dedc1b14e0a70646

SHA256
c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810

SHA512
173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
62KB

MD5
8ccb0248b7f2abeead74c057232df42a

SHA1
c02bd92fea2df7ed12c8013b161670b39e1ec52f

SHA256
0a9fd0c7f32eabbb2834854c655b958ec72a321f3c1cf50035dd87816591cdcc

SHA512
6d6e3c858886c9d6186ad13b94dbc2d67918aa477fb7d70a7140223fab435cf109537c51ca7f4b2a0db00eead806bbe8c6b29b947b0be7044358d2823f5057ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\025b6e6a2674ec26_0

Filesize
188KB

MD5
7dfb8c1a97773ac74c2242c2b8d61809

SHA1
8fb81cfee54ac9e64beb71df5fb5f6e6f0d6d28e

SHA256
4fd3a0b45959115d552a6724a1e600f40f6204f693f198d6727603d2d0649777

SHA512
94570e7ce193cfdf762af5745debcd2104f8d7a73fb47814c3221cabccc3bd5a2357f8899741e82b3604025061ca5fae1563c93f8434d7745c1a77fe7b73d305

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\04d5f0c1d71fa462_0

Filesize
1.2MB

MD5
f396bafc16342c99136fe9124da143f0

SHA1
ab927be4a5de62a77dea617e675b897a4aad2b12

SHA256
63fbae3e6a8127ed7078c32b04b435a38c82432fd34813591455cf0e3b19af34

SHA512
55f8d63e2e1b7d4e37a185fd3162214d9706b006dfddeed1ddf5491d3851459c112d7a5bb45f11230c60a00e792aa347e2c148bae509f16be8f47f1949463f19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0c3acef239394d5e_0

Filesize
295KB

MD5
3d4a52da9b851a998eb1faf57bb0156d

SHA1
66b5fb3ecc57226dc0dbe071665a32ef05802066

SHA256
037757d313bd3a00aaceea38edfdba952010ea9f7c4208c4b592cbd8c996b7a5

SHA512
c5dadc6bc256ae186959e71a1e59d2b2b4740ca71810389842c5916d00d7e6ce88c9690469ddfe6085a870ec79a657e83dea6eff8c88eb62c3cfc71f426dd6d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\26f1a435530e3442_0

Filesize
1KB

MD5
cabc49dee62a984928aed9e9ef823409

SHA1
1a0a703f2eb1f53bf5fff903b5e8c38099a30717

SHA256
203ab97be5af1b787334422d690ee74e0593165741f506831249babbd676eed8

SHA512
0cd719e6f7e4b7d5435fabae2f070dcc740c9dbd8cfeeb9fbb15a2c12bbf8d96666f4c45e87a88434ca73c0c092b53694b8f46e83b743e2de3a9f0ac43d6fbfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3ab592dde6ff023e_0

Filesize
272B

MD5
85d872d3937147ca9d2e4290ad3d3ba4

SHA1
6093974cf6bd875b8747760b5e8a81aaf0cd0964

SHA256
1894bdd746888625ee13bf98e7fcd13b1afcd10d1f024d8d17bf54b43cfbfff0

SHA512
ede0d62468ce71fb68a5159cd39227cd1cad7b57aaa047d1681180adb5bb1d6a33592e856fd0bbefc94d0eb7f4bce920817f903ce9c903451e07906d246088a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\67c896e8aae559d2_0

Filesize
291B

MD5
8bef332d190073540c1f28c19782a9d0

SHA1
01c776ee7cf12941ea8b2c14a2d9c4a18fa06d08

SHA256
ca7edd8382068c5014bf5da1554e49d146ac8cd759964a196e18485bc01fc114

SHA512
3f157b8e13eb2e014d6e60bb206228612878504fc789429d02b178718995a45d11ed164459e2d03e22b20cd3d45867eac70ac4d8fc5381f516c146c712216191

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c1a8e986a5e83797_0

Filesize
1.3MB

MD5
d9a6360cf47b686b0a8fc7a2b944bf5f

SHA1
63a24a12052ffbed57b0b0df6d50eaf65dc51601

SHA256
fa75126d641cad3298689d2a2990748e27db31b662fdbed87ad9d2ee09add0a8

SHA512
541f02eec57dfd32693004c4863c4199d025a73f3e9387761a386a8ddbf0810ae5c6ef98cba138def3fe6711a80f84bed21aab9aae563eee3fdb7fbfcc2a4df7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e91da4b52bb26ef3_0

Filesize
297B

MD5
8670cea7296f142ec08e5d8e13aa1f72

SHA1
0a84ab6ec871cd19447021d5b4d298a8f0699064

SHA256
600491578046d0aa6eda990b1853c76b05dc571dd46d5d907d21b28c608aaa9a

SHA512
824760a026e92a034be3d035228833c3bd759833b095c63e1b40d08f9e4898b1744fc9b63be37f143086a21119bc9a36ba5fe7d973af3acd51b6582298de410b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f29ed5b5251e1eaf_0

Filesize
269B

MD5
ab4984f89865a8ec903cc99af7e0fb39

SHA1
295d2f11e612c057c6471244eb690474eecc36b8

SHA256
73c2bd11eab73055129ed453459bdb1844540171c5327527bd3d64caca97810f

SHA512
f41f939ae7f7eb9c62e5fbaaf64df77f9dee4b84a25eae9126c9ea1ab70017e38ccbdeab6c458d49b1476f3071ae2d314fc3b27cdce87f316b0b9ae618d79a9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
011de3f030980b71f6c3be20a659e8a6

SHA1
7f1d2f48fe45e86f3ceeec5ef1b9e61eb949eacd

SHA256
f3e8aa66f68b016cdd14c18ecdf7a51020467522a113ff8307119c16e0dad0fc

SHA512
1085a2356ff71e0235979a6f2d4cc5620447d0131f27761cae6b9fd43af3fc31172b92a1a2d7e3d722d90f1e8ad9417261c356db80a0d64b0c8d5408923b243c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f2f4c67c0dd8486c96254839f81a9482

SHA1
b406c41d128d0abfd48c63d399a6ac9d73f2cb21

SHA256
62c703d1eab064d7878dbd0b9dfd0ca5a951883653e4868db48369230ea6c37a

SHA512
cc93b37cb197ee247d5586ed3cf303857dbeb269231f3dc609f28b82abd613f94cca8492a1d362d8d4507dc8589493be8321547bf58ee7bd00fad6dd5e245754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
24d35fac5476f02d9acb6affcc42eb7a

SHA1
f677e94ee0c7c1d336c49c9ecfd546dd6a20304d

SHA256
26f5afeb702135afa690df9d78d463b15ecad5863aa2f9258ee940535cc15cc9

SHA512
fb4143e6aa09e41dd25e5c6cf58ed8df7d41acc024230752c116f72cdfbd68a0af0d1752e75531b0857ff86d32cff63a232809068dc3cbb4676d8bc33293f509

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
98059abf11ed7fed5df59efe972a90de

SHA1
afb9b5e7057c4bead9144fc20d3b2520f94a1b87

SHA256
88123cc637a8f4b005cd8cf1aca2edd216753e0862856c60cdc5738e53ea4e07

SHA512
48253aa63859159573d17eaadacbf26a1f611c0b99c245b7f240d7cc67b8249f1ec036986f1471b82066f810a864c4d9159fa7758b3a7380715d676be53e625d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
77a573b97ea447c3c49908d636358d56

SHA1
42d269f9874a358b32e0cd5cfea7667b3bad4485

SHA256
2cf4dcfeb2683fe253cd5d5cb112ed07bbdd71f13871c95545c3dc878ff84ea4

SHA512
a7d657d2521c233e3aa4866123d1044f930b22964e6a0a23afad199a43956aa5b58bba29134c78cc2dc2523b5279aa22233e869245b1c742d64375b094cfc942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8dc769855fa8ddb16f68dac003eea89e

SHA1
d19029d89f87df6c165f91212d6d65518ef9a49a

SHA256
c4c4f230b994ea66d6f269d782b5034757ea3ec5af445ffe7e1c8dc494e69ca3

SHA512
de92c628259fa42f57a43e08fac82979217b5580ebb54731089b07f01a22d9f3c5a3f5c396567dadb1d7b6fd51fb2893c5f25f36896baec8af5b6d6039d609c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a1a462c9a63b163090b80c6928767c0d

SHA1
9c89fd744f9e9afd5cc5f06f63e7c5b3f25409e0

SHA256
61cd48e649c87cf19f13eda92ac637b905fdb115b24284d6933945ecc4e3dc04

SHA512
44184c7c827030a365cb8e023aa488c5094789d8a15ba45b578ebc9c6c4a3f42f1266180200e5130047b823935f6048e7c670fb0c5ffc4a7a0520d0182a25ba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
13754f79f3f1fd5a293e621b14edcb9d

SHA1
b810c07746460650e6b9615420842a1a2ef67868

SHA256
48f81032be193d86ca1f9e53adcc714032a0e5a6a8481488afbc520fc137ce75

SHA512
7be9ea1cab3a5608c05666775071a85e1a0e0e5dd803b459227466777195e513d3e0679735ac17decb9c7c45925857ba41b577a1852d3cba779a73ac7c33ca97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9ddbf3a27fd1830207710c5c1cbc0456

SHA1
48f571299236eb3ef99f80373cc23846966cde3d

SHA256
95c5d305f34571b9ccf3c97c2271b41b77c47faa597661adefac0e967a111f70

SHA512
d537563272ad6961e97547915d46020186269ae1ef2cc04b41baa69ab01bf49eef85f02639e98fe56b901ab1735fe6b6db3248e4dfb6537ec568d73c60182cb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
1e56265f0b7b6f3ef1384a586ac86a55

SHA1
e01a5ee04e9321c5f8378ab16763d55c95ecc26d

SHA256
620cb98f3ee75e905d917cc1b5779403805ec2c7db75e97a2b6392ec4c518b7d

SHA512
4d3027ee24bb413a379046bd75355bc5ce4c8242e05bc4765014a4a81ed63730659a9f8871380cf26199eec6bf77915198475f91b39f7e7e978ed49a07e5c83e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
37b87fb0fa0e001706ac879be1b8431c

SHA1
95af1c35eafd6926d0ec5973fe262ae0d04a35a8

SHA256
10da630a0ad53068cd59f44602ed73d41d74d417cf67eb15218be1dbe5c8d712

SHA512
9530a736a770489f7842db87c855cb47fbd63275b56d39c79ec5d685808b0a22258085530db512a18dbccd2a3a36ffdeec5f71aeda4f8e401c70ec31a7d8f114

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
12884b0b6e59049cfce9178f76085c2f

SHA1
d0357b9e537cbb6f765c8b3a65af9d40f215517f

SHA256
79cd186739b38c505033b92071faa5a501058a8816507831431790568908d89f

SHA512
c7ac04f9414f33720d9b7c101c8536b557b6d0085bcae67820ff2988cbd8c29194a251393195a0cf1be992a45500648588182ed3cc0b0812afef1c3864cb0b3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
367B

MD5
0c9976c89ce5b88aa1b5559cee9e70e5

SHA1
4a548f24169f1b3751bb13d0c211637c540af247

SHA256
d1045f12fb34d771754447be70e20cd8112e610890c8e448acc932f95a1cab13

SHA512
e75dba767e7ad3af15e90c4ac5b230cc5ff99a00bc22e2171a2414b088e56f6fc84bf2273592eb509d4687ba3966ec68807ef07b27aa2dd569d6451506b203c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
d1a71301b27cb12b58dd4938cd8b39ab

SHA1
a66037e67cec74d43ccd253cea30d4acc5157a24

SHA256
5564ec1d7b39d7fc3bcdf1cd1e16acdd7d784bc8639de2797dee40f5fd0e6442

SHA512
8f04c79603d744aa272b6ce279cf75ae13bf64477b118735ed1bc9fe7769f9cbe4b208e0683bc005a793f082ba8a2cd0123884961b38abbd27a5ad0eec833133

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
b482a39f47d30792c221f471c01c7297

SHA1
1d1c2c9a0ba161929a21198517e424513322154d

SHA256
fbc85c34656f72a8899838a5055e354e6b73ff5ba503f366230c98e0b121ee45

SHA512
011d9fdd20ba54bcd1a28e0d3158ec31d911b7741abf4e36866aece2244d411d3845f03c30780f8d110676fce427458d6571bb6b0b01552742d2725c8b36bd42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
e9f74e0d17ed0d62fa8a1cc0d3d7e9f7

SHA1
c6d1a0a3b81a4083f5de2ec66ffb648b61a0b644

SHA256
e208ef10f0048c5bdda9319515a628046a467548df87e4d99b6ed9f756b609e0

SHA512
f1834742124de4cbdbda746e6c25357b93de1b4923e041081d1650a46d0e36e76c50bd7e46a5b909dac85024c52bbdde4d99224ed613e112d2eacb790977ff19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588bb1.TMP

Filesize
371B

MD5
74cfdbde633b035c64b92569c272706e

SHA1
8a17154ac6d5147aa50ce545990e9884be92505c

SHA256
289f012857d4bfe318fe8ac0b27b25e7ec8c193632310c5c340324cdef573677

SHA512
c30a57816e77b54a921206251ffdb4407e0919218db31d980f54ed0fb062146767c3f9d475298534f4e27ee010dc419f7b7d444bdeafcf8f23b8ece9a8e70232

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e3dd328acbc1a9a18dc89f12d5c50a51

SHA1
b3444627022e22136e5e07db3de2c584358e30ce

SHA256
76524b8103c1cba46a194191a380f3f9ba424828abdf3944f00b780d74a98b8c

SHA512
30886915d467bc09fe8492e94f35c3cdcb272a87379516f414ff688f3ff1f0bc0eb48317a09c1e7e6388050cf1320601c4313cfa071d81dbbe33501860a33dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c000a085b0205c64172cc4d73327b4eb

SHA1
d6a0c23d7a9b0c36a4b6da44a953ee1ff6b8e7f9

SHA256
8407daeb14f7f905bdfe952f857098c542d79c550d22da1ae69980514c88d9d4

SHA512
1ba66e56a9a51e5a8617ffc47cf62a3b8fdae9458c422b722d7168fdca47d10da249fc250b2181a2e9f8e867f6318ff92542682bb9b098608961a12d64110347

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yahfncok.hwv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Graias\graias.exe

Filesize
960KB

MD5
7caf240db905f259197cf71b03acf888

SHA1
d8d9726a0a67795a01fed368055d9315feada3fd

SHA256
c8017f526793dd8b6b6e98bfa9847fcf3aa7c4096a8432719a8324e06ba8c088

SHA512
1f9464e14d33bfab44dfc85486bea31126a26929e04eae1159e6ecc886aa79877ca29aa93e614512625000d153e090c06b3b2081f9cbc1e8997ad26e59097255

Download Submit
memory/860-93-0x00000000067B0000-0x00000000067FC000-memory.dmp

Filesize
304KB

Download
memory/860-74-0x0000000006110000-0x0000000006176000-memory.dmp

Filesize
408KB

Download
memory/860-19-0x000000007424E000-0x000000007424F000-memory.dmp

Filesize
4KB

Download
memory/860-20-0x0000000002E50000-0x0000000002E86000-memory.dmp

Filesize
216KB

Download
memory/860-21-0x0000000074240000-0x00000000749F0000-memory.dmp

Filesize
7.7MB

Download
memory/860-23-0x0000000005900000-0x0000000005F28000-memory.dmp

Filesize
6.2MB

Download
memory/860-22-0x0000000074240000-0x00000000749F0000-memory.dmp

Filesize
7.7MB

Download
memory/860-73-0x00000000060A0000-0x0000000006106000-memory.dmp

Filesize
408KB

Download
memory/860-72-0x00000000058A0000-0x00000000058C2000-memory.dmp

Filesize
136KB

Download
memory/860-84-0x0000000006180000-0x00000000064D4000-memory.dmp

Filesize
3.3MB

Download
memory/860-85-0x0000000006780000-0x000000000679E000-memory.dmp

Filesize
120KB

Download
memory/860-99-0x000000006E890000-0x000000006E8DC000-memory.dmp

Filesize
304KB

Download
memory/860-122-0x0000000074240000-0x00000000749F0000-memory.dmp

Filesize
7.7MB

Download
memory/860-119-0x0000000007DC0000-0x0000000007DC8000-memory.dmp

Filesize
32KB

Download
memory/860-118-0x0000000007DE0000-0x0000000007DFA000-memory.dmp

Filesize
104KB

Download
memory/860-117-0x0000000007CE0000-0x0000000007CF4000-memory.dmp

Filesize
80KB

Download
memory/860-116-0x0000000007CD0000-0x0000000007CDE000-memory.dmp

Filesize
56KB

Download
memory/860-115-0x0000000007CA0000-0x0000000007CB1000-memory.dmp

Filesize
68KB

Download
memory/860-114-0x0000000007D20000-0x0000000007DB6000-memory.dmp

Filesize
600KB

Download
memory/860-98-0x0000000006D50000-0x0000000006D82000-memory.dmp

Filesize
200KB

Download
memory/860-109-0x0000000006D90000-0x0000000006DAE000-memory.dmp

Filesize
120KB

Download
memory/860-110-0x0000000007770000-0x0000000007813000-memory.dmp

Filesize
652KB

Download
memory/860-113-0x0000000007B10000-0x0000000007B1A000-memory.dmp

Filesize
40KB

Download
memory/860-112-0x0000000007AA0000-0x0000000007ABA000-memory.dmp

Filesize
104KB

Download
memory/860-111-0x00000000080F0000-0x000000000876A000-memory.dmp

Filesize
6.5MB

Download
memory/2940-4-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/2940-6-0x0000000005130000-0x00000000051CC000-memory.dmp

Filesize
624KB

Download
memory/2940-5-0x0000000004EE0000-0x0000000004EEA000-memory.dmp

Filesize
40KB

Download
memory/2940-10-0x0000000006230000-0x00000000062F2000-memory.dmp

Filesize
776KB

Download
memory/2940-2-0x00000000052D0000-0x0000000005874000-memory.dmp

Filesize
5.6MB

Download
memory/2940-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/2940-9-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/2940-18-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/2940-8-0x00000000744DE000-0x00000000744DF000-memory.dmp

Filesize
4KB

Download
memory/2940-3-0x0000000004E20000-0x0000000004EB2000-memory.dmp

Filesize
584KB

Download
memory/2940-1-0x0000000000350000-0x0000000000446000-memory.dmp

Filesize
984KB

Download
memory/2940-7-0x0000000005240000-0x0000000005258000-memory.dmp

Filesize
96KB

Download
memory/3056-540-0x0000000000E70000-0x0000000000F66000-memory.dmp

Filesize
984KB

Download
memory/3968-241-0x0000000001030000-0x0000000001126000-memory.dmp

Filesize
984KB

Download
memory/4148-764-0x0000000000640000-0x0000000000736000-memory.dmp

Filesize
984KB

Download
memory/4220-133-0x00000000010A0000-0x0000000001196000-memory.dmp

Filesize
984KB

Download
memory/4496-146-0x0000000005D30000-0x0000000005D7C000-memory.dmp

Filesize
304KB

Download
memory/4496-140-0x0000000005440000-0x0000000005794000-memory.dmp

Filesize
3.3MB

Download
memory/4496-147-0x000000006F5C0000-0x000000006F60C000-memory.dmp

Filesize
304KB

Download
memory/4496-157-0x0000000006D70000-0x0000000006E13000-memory.dmp

Filesize
652KB

Download
memory/4496-158-0x0000000007020000-0x0000000007031000-memory.dmp

Filesize
68KB

Download
memory/4496-159-0x0000000007070000-0x0000000007084000-memory.dmp

Filesize
80KB

Download
memory/4580-376-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4580-762-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4580-280-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4580-125-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4580-501-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4580-763-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4580-472-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4580-132-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4580-130-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4580-127-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4580-657-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4580-658-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4580-410-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4580-281-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5088-17-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5088-12-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5088-14-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5088-97-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5088-11-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5264-669-0x0000000000520000-0x0000000000616000-memory.dmp

Filesize
984KB

Download
memory/5464-342-0x0000000000C00000-0x0000000000CF6000-memory.dmp

Filesize
984KB

Download