remcos | 51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
Size

962KB
MD5

4a9440baa61be8363a372b0bbc5933ad
SHA1

9aa5380dc87829c6fa22e9029cadcab9f6221ef9
SHA256

51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c
SHA512

648bd4434ce14e15c3faba25945525fffec6dad028e8fe26982d70096ccd448ca6e114e10739b1e990ea65970db97897713b8054450f1cd98c9aacb596436b0c
SSDEEP

24576:fdFeteG2H+FLBvmhCWWmLiUZklZGIo/KCrB:FA9w+bvmhCWWpUZkbDo5rB

Score

10^/10

remcos graias discovery execution persistence rat

Malware Config

Extracted

Family

remcos

Botnet

Graias

185.234.72.215:4444

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
graias.exe
copy_folder
Graias
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
graias
mouse_option
false
mutex
Rmc-O844B9
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1716	powershell.exe
3564	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	graias.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe

Executes dropped EXE 2 IoCs

pid	Process
1860	graias.exe
3228	graias.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-O844B9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Graias\\graias.exe\""	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-O844B9 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Graias\\graias.exe\""	graias.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 3176 set thread context of 2688	3176	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	91
PID 1860 set thread context of 3228	1860	graias.exe	100
PID 3228 set thread context of 4376	3228	graias.exe	102
PID 3228 set thread context of 1728	3228	graias.exe	126
PID 3228 set thread context of 1044	3228	graias.exe	135
PID 3228 set thread context of 5816	3228	graias.exe	144
PID 3228 set thread context of 2928	3228	graias.exe	153
PID 3228 set thread context of 5312	3228	graias.exe	162
PID 3228 set thread context of 2724	3228	graias.exe	171

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2460	3176	WerFault.exe	81
1404	1860	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	graias.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	graias.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1716	powershell.exe
1716	powershell.exe
3564	powershell.exe
3564	powershell.exe
4744	msedge.exe
4744	msedge.exe
856	msedge.exe
856	msedge.exe
444	identity_helper.exe
444	identity_helper.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
3228	graias.exe
3228	graias.exe
3228	graias.exe
3228	graias.exe
3228	graias.exe
3228	graias.exe
3228	graias.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

pid	Process
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe
856	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3228	graias.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 1716	3176	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	89
PID 3176 wrote to memory of 1716	3176	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	89
PID 3176 wrote to memory of 1716	3176	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	89
PID 3176 wrote to memory of 2688	3176	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	91
PID 3176 wrote to memory of 2688	3176	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	91
PID 3176 wrote to memory of 2688	3176	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	91
PID 3176 wrote to memory of 2688	3176	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	91
PID 3176 wrote to memory of 2688	3176	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	91
PID 3176 wrote to memory of 2688	3176	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	91
PID 3176 wrote to memory of 2688	3176	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	91
PID 3176 wrote to memory of 2688	3176	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	91
PID 3176 wrote to memory of 2688	3176	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	91
PID 3176 wrote to memory of 2688	3176	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	91
PID 2688 wrote to memory of 1860	2688	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	95
PID 2688 wrote to memory of 1860	2688	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	95
PID 2688 wrote to memory of 1860	2688	51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe	95
PID 1860 wrote to memory of 3564	1860	graias.exe	98
PID 1860 wrote to memory of 3564	1860	graias.exe	98
PID 1860 wrote to memory of 3564	1860	graias.exe	98
PID 1860 wrote to memory of 3228	1860	graias.exe	100
PID 1860 wrote to memory of 3228	1860	graias.exe	100
PID 1860 wrote to memory of 3228	1860	graias.exe	100
PID 1860 wrote to memory of 3228	1860	graias.exe	100
PID 1860 wrote to memory of 3228	1860	graias.exe	100
PID 1860 wrote to memory of 3228	1860	graias.exe	100
PID 1860 wrote to memory of 3228	1860	graias.exe	100
PID 1860 wrote to memory of 3228	1860	graias.exe	100
PID 1860 wrote to memory of 3228	1860	graias.exe	100
PID 1860 wrote to memory of 3228	1860	graias.exe	100
PID 3228 wrote to memory of 4376	3228	graias.exe	102
PID 3228 wrote to memory of 4376	3228	graias.exe	102
PID 3228 wrote to memory of 4376	3228	graias.exe	102
PID 3228 wrote to memory of 4376	3228	graias.exe	102
PID 4376 wrote to memory of 856	4376	svchost.exe	104
PID 4376 wrote to memory of 856	4376	svchost.exe	104
PID 856 wrote to memory of 1708	856	msedge.exe	105
PID 856 wrote to memory of 1708	856	msedge.exe	105
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106
PID 856 wrote to memory of 1480	856	msedge.exe	106

C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
"C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe
  "C:\Users\Admin\AppData\Local\Temp\51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Roaming\Graias\graias.exe
    "C:\Users\Admin\AppData\Roaming\Graias\graias.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Graias\graias.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3564
  - - C:\Users\Admin\AppData\Roaming\Graias\graias.exe
      "C:\Users\Admin\AppData\Roaming\Graias\graias.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3228
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4376
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb279146f8,0x7ffb27914708,0x7ffb27914718
        7⤵
        
        PID:1708
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
        7⤵
        
        PID:1480
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
        7⤵
        
        PID:2156
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
        7⤵
        
        PID:3632
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
        7⤵
        
        PID:1824
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
        7⤵
        
        PID:4416
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
        7⤵
        
        PID:3852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:444
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
        7⤵
        
        PID:4852
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
        7⤵
        
        PID:1368
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
        7⤵
        
        PID:2096
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
        7⤵
        
        PID:2788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
        7⤵
        
        PID:3136
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
        7⤵
        
        PID:440
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
        7⤵
        
        PID:3052
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
        7⤵
        
        PID:3744
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3016 /prefetch:1
        7⤵
        
        PID:2888
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
        7⤵
        
        PID:4372
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1996 /prefetch:1
        7⤵
        
        PID:5476
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1768 /prefetch:1
        7⤵
        
        PID:5556
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
        7⤵
        
        PID:5876
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
        7⤵
        
        PID:5972
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
        7⤵
        
        PID:5320
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
        7⤵
        
        PID:2220
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
        7⤵
        
        PID:3404
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
        7⤵
        
        PID:5800
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1344 /prefetch:1
        7⤵
        
        PID:2180
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
        7⤵
        
        PID:4232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
        7⤵
        
        PID:5896
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
        7⤵
        
        PID:5588
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6888 /prefetch:1
        7⤵
        
        PID:5968
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
        7⤵
        
        PID:5124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7340 /prefetch:1
        7⤵
        
        PID:5900
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,7347280610506252442,6041739910957895307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7052 /prefetch:1
        7⤵
        
        PID:5308
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:2584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb279146f8,0x7ffb27914708,0x7ffb27914718
        7⤵
        
        PID:1404
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1728
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:4952
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb279146f8,0x7ffb27914708,0x7ffb27914718
        7⤵
        
        PID:4844
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:1264
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb279146f8,0x7ffb27914708,0x7ffb27914718
        7⤵
        
        PID:4328
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5400
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb279146f8,0x7ffb27914708,0x7ffb27914718
        7⤵
        
        PID:5412
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5788
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb279146f8,0x7ffb27914708,0x7ffb27914718
        7⤵
        
        PID:5804
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5816
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:684
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb279146f8,0x7ffb27914708,0x7ffb27914718
        7⤵
        
        PID:2168
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:4828
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb279146f8,0x7ffb27914708,0x7ffb27914718
        7⤵
        
        PID:2612
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5164
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xd8,0x100,0x104,0xfc,0x108,0x7ffb279146f8,0x7ffb27914708,0x7ffb27914718
        7⤵
        
        PID:3940
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:116
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb279146f8,0x7ffb27914708,0x7ffb27914718
        7⤵
        
        PID:5864
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5312
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:5700
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb279146f8,0x7ffb27914708,0x7ffb27914718
        7⤵
        
        PID:5640
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
        6⤵
        
        PID:1584
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb279146f8,0x7ffb27914708,0x7ffb27914718
        7⤵
        
        PID:3008
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 1196
      4⤵
      Program crash
      PID:1404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 1640
  2⤵
  - Program crash
  PID:2460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3176 -ip 3176
1⤵
PID:2156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1860 -ip 1860
1⤵
PID:4372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
68KB

MD5
0cccccd82d68d5ff076e1bd047436ec8

SHA1
0b9d6ebef9ac1c03f8138e9fc9203f9cd69d2a73

SHA256
0e9d24e58133fdae2fe766ece9358afdc57da1568485bf36182851b6c1291246

SHA512
84c357d75e1b7c25249ef826bf5ea9ef4445f2d4f985ae7128363421ac28f1cf438256cb40cdfd2fcf9ad439900dfc7796f9ab850e0445dbbfab5c23f29575eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
79KB

MD5
e51f388b62281af5b4a9193cce419941

SHA1
364f3d737462b7fd063107fe2c580fdb9781a45a

SHA256
348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c

SHA512
1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
89KB

MD5
6c66566329b8f1f2a69392a74e726d4c

SHA1
7609ceb7d28c601a8d7279c8b5921742a64d28ce

SHA256
f512f4fb0d4855fc4aa78e26516e9ec1cfabc423a353cd01bc68ee6098dc56d6

SHA512
aca511bfaf9b464aff7b14998f06a7e997e22fcbe7728401a1e4bd7e4eceb8c938bbd820a16d471d0b5a0589d8807b426b97292fc2a28578a62e4681185556c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
487KB

MD5
831a0aa25af2c60a7380ea75c321d930

SHA1
140ec306c24ab6f348c4dde5900b219d817e2026

SHA256
8cdde5daa52335c0a4e416f6fc22aa80744207a38fc276bd65341c2d2e903557

SHA512
0147937b2b2cf9bbf7e8dbee2d598e156c6ce4ddff224b3dc48caed96e89038ecdff1ace743b82fdf6155c40b674f4b1983693dbe45c39898487d3b7be258161

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
34KB

MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
17KB

MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
19KB

MD5
4d0bfea9ebda0657cee433600ed087b6

SHA1
f13c690b170d5ba6be45dedc576776ca79718d98

SHA256
67e7d8e61b9984289b6f3f476bbeb6ceb955bec823243263cf1ee57d7db7ae9a

SHA512
9136adec32f1d29a72a486b4604309aa8f9611663fa1e8d49079b67260b2b09cefdc3852cf5c08ca9f5d8ea718a16dbd8d8120ac3164b0d1519d8ef8a19e4ea5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
259KB

MD5
34504ed4414852e907ecc19528c2a9f0

SHA1
0694ca8841b146adcaf21c84dedc1b14e0a70646

SHA256
c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810

SHA512
173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
62KB

MD5
8ccb0248b7f2abeead74c057232df42a

SHA1
c02bd92fea2df7ed12c8013b161670b39e1ec52f

SHA256
0a9fd0c7f32eabbb2834854c655b958ec72a321f3c1cf50035dd87816591cdcc

SHA512
6d6e3c858886c9d6186ad13b94dbc2d67918aa477fb7d70a7140223fab435cf109537c51ca7f4b2a0db00eead806bbe8c6b29b947b0be7044358d2823f5057ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0ff443fe545a5de6_0

Filesize
295KB

MD5
b39fb2820809a478d86fe1bc148578ac

SHA1
846ac45fd414fb96d9030d141d0d0d1ecbc6b144

SHA256
3c2833591153305eb41647861c1faa90e360ca5946c596e6b84ba7acb5477380

SHA512
253f03ac6c90681c5b025d59f55e8f88fc8b90a7280b26c20d4f9b7ba45678f9b13304057a9e4459f3613d6ae83b0323a7f59328552e8d7dc0a2c45b96959555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\26f1a435530e3442_0

Filesize
1KB

MD5
a7fa44766a065133a8bc448da666ea58

SHA1
ddd4bc3c938dddf38f57798ad84b2396e82bca84

SHA256
a7c8041004116cca5e7e3183c4053eec23950dc3442eb206b903f71b4e9521ba

SHA512
de62a4c2e84ce4e0f825ac2fdaca60c4bb66d65f4380efc2e3852d69020861b4927ffe82eade234f9f999579dfe6353476bfb702cd67095c3d9992e7a31e5a59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3ab592dde6ff023e_0

Filesize
272B

MD5
2dc28f7a3be5e65d4b29d00721a1adfe

SHA1
592d533db5fe3e8aa92602f2de3ac582a6b870cc

SHA256
082493ac170d9ae633d657d9558e3b9e235708a0d1f311d5eeaa24db8c23fd53

SHA512
446e767888f53b5b5fa8cfbab29616957522b7687ec566728a681510641a04d0943460ef14e93704ee436eaad998be092f770e9fd860e892a50b78ca86ce6183

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\67c896e8aae559d2_0

Filesize
291B

MD5
2dc1de30f954fd3eba97c95bb0b2d45d

SHA1
6967d8a5a0e0e83370fa889c2b16ce0d87e7c6a6

SHA256
c7fe3ac449f12360109968e10ff18f74c8ca32eb0a671f8799a6b17d2f6b4efb

SHA512
885699a79c9861f5044f9f94c2d1a16e090370d4367822047616850eb346b616013af4b5990a8cef462959b57dcaa6290f2f540aa9992048dcd50fefcc59950e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9aeca359385c8ecb_0

Filesize
1.3MB

MD5
2953746af79a5e101f70162bc1245aaa

SHA1
f88988c8169bfa5b6ad3abec6785c65e6fc50dd2

SHA256
11d8c71c46ba60f3284cd1ac4be6a4e8cfff8069cc7ebaad1aa2f5ebc14e0a76

SHA512
eec16291ac2a6bbb96c712f87d22540b5e4f9d3045986447c910fee252ee4bdb16b8532e89e2fac6d91cd57f4c45b6fb535b3296b0058216e1e12d5ed70565fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d404bc34e42b5ac5_0

Filesize
1.2MB

MD5
a24842629744075277e84e27c3340014

SHA1
ce6a7169d17d99e5a3afa0901897386f6e965440

SHA256
d879e33e29bdfd407477dfdaaf22d86874a4dba6f6a15f0815738a81acffc1d2

SHA512
53daace4f0d7705272fe4f64dc2995f241eb20d1f02e5e0f0465e0c0cb3c82da46a520381cdcde65900ab53f95630ed94cc2d6f951a85fe969a80af3846597d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e91da4b52bb26ef3_0

Filesize
297B

MD5
8d1c7d200d395fe641b04930d1ad2af0

SHA1
908e3cab1a385681f7de2a7cf4e7c7fbffcdc6d2

SHA256
ffa65f2308de6babb23f838b2aa41cbcac4ea18ad78f648be5f21a4d4d54abec

SHA512
155c40d5851811f52fde0b8cc978e2a99749796b8dab574bec4ce7035d71f2dbab683a6052a73da86c1c28857037ca0c60820bfea73c92bb9b532a2a6ecb8bbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f29ed5b5251e1eaf_0

Filesize
269B

MD5
b954f166f7162a0065bfab4e4c2f0ec3

SHA1
4c5cab824613ed4c9f49681954c047392eb2cf06

SHA256
726ad8f3ea3623ee921eef5044fff696b557457d70d40cbebea791ce3f87ef40

SHA512
8c5c567093c1a419eed0c42e096c0b64738c2dd92650cf764dd78b7d65efe0acf0d60e2a6e98ecbf3497469757c6a2efd6ccd6208d1e30d7c645a557bcc14354

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\faba8ade89e257c6_0

Filesize
188KB

MD5
a3700aa64cd5bdd811862d0ba051ffdb

SHA1
4ef0e8d8a47b957ca70e349a8fe3bc10a6a97217

SHA256
6afc642abb5b2afdad22b46eb842f52e405f16f41d5274ac159a060ec6a25a38

SHA512
3370a62fca2725091d94c3990ac2bd5ccb89d9b2b943e5d09e3e5904b1957c8b0afc392202538aaeac3430166d22087c4e07d0161d25d1b26fdd90160588ef5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
437B

MD5
05592d6b429a6209d372dba7629ce97c

SHA1
b4d45e956e3ec9651d4e1e045b887c7ccbdde326

SHA256
3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd

SHA512
caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8ab7a0ee025875787c9204513c33a673

SHA1
33f2a7821104cb18799d1e04daaf069743e8a903

SHA256
d59b5f3ac0eaf6d4deba580acd10ebb6ab9b2b2f2aafda799b612303ea849a2c

SHA512
c75a5b17c0828286f5e2816fd111bba0730397f49d5b48131a85f823af55f8982d403424dbad60a009798ed1103a1decbd8ce75cbba83cf813f1d30b0965d71d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2dca728e6bee3d7addabe2a048ca2a7f

SHA1
97e0b085e59c480556d39125b478125565db3931

SHA256
a58e2cc40d840e9fd21e87646c0ffa0fb9b3fc5bbb024344a52545a356ea1f40

SHA512
1336990bf5eddb890475a555844b8aa01ff2803c56db815cb69c18ba943f8d7732f31b1ca66e6b8e31778085efdf2e26cf7211f9a64718e00c667e83608be65b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9ca9660c4cd0852e5ed574fb20a77025

SHA1
fdef08bbf738771c39cb5e76c4fa721ebfa7ab48

SHA256
695a34e9049002dc9b70bf515e0afa45daac201812e2287147eea6ddd126a2d0

SHA512
62b5e2845cf04b46ac2c7b3edb6a6c5f513737017c337f59f50cc1648d267fa4f399ac0dba8bbe33730cea490d468602f44ee8273c0a4d3d3094d2cdf9c68cab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
42ece79f19f8f33ad7156c96903fa759

SHA1
18f9e93738718695d187ac87b742d5c59ed95429

SHA256
1fc58e1e7d65b07b924adc843de7a65674584205788484ab6ba1ba1757d2f32f

SHA512
c07fb215c1f5272f01df9651ffe0e8992e6e2dfcf72072108d1a202420454062591afc5ed15c59c99e18b0fe76a348ea36550c710c0762a2ea6a9953cb5dc7e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
120564c1bee87e9020261adbd6980aea

SHA1
4b532d02fd70a79ad21f9f180cd75fa6f055ab8e

SHA256
29bd79bfbfe0cb6ff16e61d083fedbe42e7ff489c4f90944def504192cf4fb00

SHA512
8bf8945b13cd6fb31b65b870dc78721b75151b997a543b9448e530930bf254de736facc3b5e27742f13d61d90429470823c450eded1e7f60c1a49bd6a853b6d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c7fe3ff9ea3612d122bca5bfbe717835

SHA1
5ed0614a15d2b26421a69940c2e173837f6619f8

SHA256
c10b2efff18f2f3b62593ae40a641b4c7577a53c86197d86a232a6f9490fb037

SHA512
e22ac559c9c96deb9a8f455a18aefac50d74644248ec924af52a89c4d178e2455a35214a7721594c0a434ab1610a9d229d0e49130092ac0998ecd39d06511ef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a864b1bee3efe57f25c44799e5ebe551

SHA1
b78e102f43e6f283f4f85dbe56161426b5a815d3

SHA256
283cdd6f296b0f18a8f19c38ae3b23a92f6da9f4725b6ec1f364569bd335c306

SHA512
c028196d5c575d8140622349fdee559d3b6ac8b521c138d635414871b1fbda1bc63144c011fdb8c4855535a212acbae9d342c3c005eaff0ba1e04296b60c5139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3d4b67a9929f700dd29ce3d9c54c34d2

SHA1
04a29fde299c73180721efe28d9bfc3c117c2724

SHA256
f310438ae2d5c9600161f8f64e6cbe9e990725f8d48cd14f2e91974b9d0d6179

SHA512
5b54e2a5ff622c5f7b83f6050a95c81de34da2e35c62306532d022d3158d4dd4c94e9eb7bec33aaa1c0bef7c29bf00e4bd20993b4e99f03a6dc65a3bcd0a617a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
9d0cbe718e437aaed027ff166c96c0c6

SHA1
d7e6e471871c5a019460cdc734478cedbd836e57

SHA256
96434b8048770dcb14041baf504491f66d04253c87dac149c0c7c204ff149943

SHA512
7f2129bf725d6a4948e98b58ed575f54a0b8a56461739dff9f09fc805a95721147ca0598cb2a81edca6b3dabee58cb027b6284d3886b7dece97f6f5b7224ee80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
a96561e717a0a38e997d4571bfcb981c

SHA1
8ae1f6c9229e108d0e92e4d207633bf05ca0eeec

SHA256
8d7d214a00cc63ea08e00a912de1f99b93aa1abac6e373a58c2090d6887d928d

SHA512
06d85280b67aa317954e0f2ecd53e751348b030ce5c34d79a8360e4f2dfbeca65832306cac681b1f5364fb220fbeb927934931cd2245c0cfcd17175b8461d70f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
3e83d08e80fe7c30b5f13b03c67c3402

SHA1
06477c95579afe2f97a3f9b28be40de56435af2f

SHA256
272eccfb1c26de07725ef9d608aae949eb41bb0b7afcd84226bbad15385359a3

SHA512
47a3256a820d71864d835f99dfd430b206532db393089202a3af05e7d5be9594a863ca3059847dc9950b7d0a24f20abcb065fc189720bb8edf0b9dbf55d0bacb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
367B

MD5
fe815fc855858430791197ee69a7b5b2

SHA1
6250734721ebeb833912dc5078211ddf188294f8

SHA256
918f1d40e0f544c276400bc817b86ae054abd088e092e1c00452d7c0e27362c8

SHA512
01c518327baee59013a7d141e72bab5d2419642c173998811801ef352f7da170f7e4249f3e06da13b5a63d6cac94302fa7275636c89bc4598326e6e15218c7e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
f39e1f3efb4b341ba0707aa16e92bca5

SHA1
b919e3ac105b96b6ff418511338bd06eb129f3be

SHA256
a249ef391477a9122b5ae898b81a36feaf62ad3e2a78bf8ca69b624f15b7345f

SHA512
58eb7431203b4fa64c14c717a4e0b7e4041fddb47ea80e104f0dc3a338dbce3ff2072b2867233384433b16f63ef79eee4eac79b7bfec1c77d9496741f922383b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
767d491d37c9d67dd6e144bf47604745

SHA1
bd16e79d7cdb2563b122923bb67b35122a503e2f

SHA256
6e5810fe19ba72a3978274379d706fd193c038ea77e7f7d89b3ed7d4e413ead4

SHA512
18b8d7cd3a868461704f18b52591da64a67ad2ab18cca9a08e5236c77165784ad7ff6111bd28858405338f05ac7e95fa90c098b91e15751d9861ae538a384f5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5885e4.TMP

Filesize
371B

MD5
7026e913e3e0f6e1eb9872fd6350ab22

SHA1
abfd9f8dde0b1a53d04d7b9996da93615a5a449c

SHA256
3bcdac875b97b09a3d9b56479dcdc0ea44fca3fd3a50455b9f0b79f48c039ca8

SHA512
832f508168329044f264f6086949fe09d0bdd4324e3f881cb3fe70bbf53ee4b8cf165a8f61dca264bd67c0008d1c9a4235f009c6d6f723794cf5064b4ec13eaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0a4579025fa29eafa7de63b753a0f4b6

SHA1
a1d391495cf998fa5500fb1f73429b19cc86d559

SHA256
5f1157f7a0a84e184fd3d9b4d6eb31ded6bbfa2ecd30f1958d8f59666df2fb66

SHA512
8ae7da7dac3c2bfa49f1fa015c52540773ab0c020eb3eb270a07673ee0be14235b08a89b46c6def687bf4953d01c46ab3e117682decc444263c674bee6fdea94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
a142154c55fc1d323e322f6b0c9e4124

SHA1
c4734f2c86b7cc2da118cad7134c85708a7501cb

SHA256
ad488f9a383ec28a2355cc8db18a9e84dfd1f6b8a0c0109348681b56afe05e48

SHA512
e6ff2a02606e3fdf71ed99150608adcc04196b6aa6ae663aef6f8c766220303d973268bf1bbfc365fad4a16bc15a266a666ed225383f89ca72a7e323fb5e58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fnqgf1qf.sav.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Graias\graias.exe

Filesize
962KB

MD5
4a9440baa61be8363a372b0bbc5933ad

SHA1
9aa5380dc87829c6fa22e9029cadcab9f6221ef9

SHA256
51c0bcbc40451c10e3b56df10853156378e8dbfb32ee63ea936737d42818822c

SHA512
648bd4434ce14e15c3faba25945525fffec6dad028e8fe26982d70096ccd448ca6e114e10739b1e990ea65970db97897713b8054450f1cd98c9aacb596436b0c

Download Submit
memory/1044-347-0x0000000000E90000-0x0000000000F88000-memory.dmp

Filesize
992KB

Download
memory/1716-96-0x0000000005E10000-0x0000000005E5C000-memory.dmp

Filesize
304KB

Download
memory/1716-73-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download
memory/1716-18-0x000000007519E000-0x000000007519F000-memory.dmp

Filesize
4KB

Download
memory/1716-19-0x0000000002450000-0x0000000002486000-memory.dmp

Filesize
216KB

Download
memory/1716-20-0x0000000005010000-0x0000000005638000-memory.dmp

Filesize
6.2MB

Download
memory/1716-63-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/1716-123-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/1716-70-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/1716-120-0x00000000073C0000-0x00000000073C8000-memory.dmp

Filesize
32KB

Download
memory/1716-71-0x0000000004EB0000-0x0000000004ED2000-memory.dmp

Filesize
136KB

Download
memory/1716-72-0x0000000004F50000-0x0000000004FB6000-memory.dmp

Filesize
408KB

Download
memory/1716-83-0x00000000058A0000-0x0000000005BF4000-memory.dmp

Filesize
3.3MB

Download
memory/1716-95-0x0000000005D60000-0x0000000005D7E000-memory.dmp

Filesize
120KB

Download
memory/1716-99-0x0000000006390000-0x00000000063C2000-memory.dmp

Filesize
200KB

Download
memory/1716-119-0x00000000073E0000-0x00000000073FA000-memory.dmp

Filesize
104KB

Download
memory/1716-118-0x00000000072E0000-0x00000000072F4000-memory.dmp

Filesize
80KB

Download
memory/1716-117-0x00000000072D0000-0x00000000072DE000-memory.dmp

Filesize
56KB

Download
memory/1716-116-0x00000000072A0000-0x00000000072B1000-memory.dmp

Filesize
68KB

Download
memory/1716-115-0x0000000007320000-0x00000000073B6000-memory.dmp

Filesize
600KB

Download
memory/1716-114-0x0000000007110000-0x000000000711A000-memory.dmp

Filesize
40KB

Download
memory/1716-113-0x00000000070A0000-0x00000000070BA000-memory.dmp

Filesize
104KB

Download
memory/1716-100-0x00000000707E0000-0x000000007082C000-memory.dmp

Filesize
304KB

Download
memory/1716-110-0x0000000006350000-0x000000000636E000-memory.dmp

Filesize
120KB

Download
memory/1716-112-0x00000000076E0000-0x0000000007D5A000-memory.dmp

Filesize
6.5MB

Download
memory/1716-111-0x0000000006D80000-0x0000000006E23000-memory.dmp

Filesize
652KB

Download
memory/1860-97-0x0000000005920000-0x0000000005934000-memory.dmp

Filesize
80KB

Download
memory/2688-94-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2688-11-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2688-12-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2688-14-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2688-17-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2928-546-0x0000000000E00000-0x0000000000EF8000-memory.dmp

Filesize
992KB

Download
memory/3176-7-0x0000000005CE0000-0x0000000005CF4000-memory.dmp

Filesize
80KB

Download
memory/3176-5-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/3176-1-0x0000000000E70000-0x0000000000F68000-memory.dmp

Filesize
992KB

Download
memory/3176-2-0x0000000005E60000-0x0000000006404000-memory.dmp

Filesize
5.6MB

Download
memory/3176-3-0x0000000005950000-0x00000000059E2000-memory.dmp

Filesize
584KB

Download
memory/3176-4-0x0000000005AF0000-0x0000000005AFA000-memory.dmp

Filesize
40KB

Download
memory/3176-6-0x0000000005BF0000-0x0000000005C8C000-memory.dmp

Filesize
624KB

Download
memory/3176-8-0x000000007519E000-0x000000007519F000-memory.dmp

Filesize
4KB

Download
memory/3176-9-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/3176-10-0x0000000007280000-0x0000000007344000-memory.dmp

Filesize
784KB

Download
memory/3176-98-0x0000000075190000-0x0000000075940000-memory.dmp

Filesize
7.7MB

Download
memory/3176-0-0x000000007519E000-0x000000007519F000-memory.dmp

Filesize
4KB

Download
memory/3228-284-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3228-126-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3228-133-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3228-130-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3228-742-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3228-127-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3228-285-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3228-408-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3228-504-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3228-407-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3228-741-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3228-646-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3228-512-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3228-645-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/3564-158-0x0000000006DD0000-0x0000000006E73000-memory.dmp

Filesize
652KB

Download
memory/3564-148-0x000000006EEF0000-0x000000006EF3C000-memory.dmp

Filesize
304KB

Download
memory/3564-159-0x0000000007090000-0x00000000070A1000-memory.dmp

Filesize
68KB

Download
memory/3564-145-0x00000000054B0000-0x0000000005804000-memory.dmp

Filesize
3.3MB

Download
memory/3564-147-0x0000000006100000-0x000000000614C000-memory.dmp

Filesize
304KB

Download
memory/3564-160-0x00000000070D0000-0x00000000070E4000-memory.dmp

Filesize
80KB

Download
memory/4376-134-0x0000000000A00000-0x0000000000AF8000-memory.dmp

Filesize
992KB

Download
memory/5312-647-0x0000000001000000-0x00000000010F8000-memory.dmp

Filesize
992KB

Download
memory/5816-442-0x0000000000CA0000-0x0000000000D98000-memory.dmp

Filesize
992KB

Download