Malware Analysis Report

2025-01-03 06:30

Sample ID 230904-k4lkhsfe29
Target hybri.exe
SHA256 9b71311ab909174fea4634b9df30c36c2c79f361e21fd5e6f4de0b07bcd010c6
Tags
stormkitty persistence spyware stealer discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b71311ab909174fea4634b9df30c36c2c79f361e21fd5e6f4de0b07bcd010c6

Threat Level: Known bad

The file hybri.exe was found to be: Known bad.

Malicious Activity Summary

stormkitty persistence spyware stealer discovery

StormKitty

StormKitty payload

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

Looks up external IP address via web service

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: LoadsDriver

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-04 09:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-04 09:09

Reported

2023-09-04 09:40

Platform

win7-20230831-en

Max time kernel

1559s

Max time network

1562s

Command Line

"C:\Users\Admin\AppData\Local\Temp\hybri.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3185155662-718608226-894467740-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe" C:\Users\Admin\AppData\Local\Temp\hybri.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2520 set thread context of 2652 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Users\Admin\AppData\Local\Temp\hybri.exe

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\hybri.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\hybri.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\hybri.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\hybri.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Users\Admin\AppData\Local\Temp\hybri.exe
PID 2520 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Users\Admin\AppData\Local\Temp\hybri.exe
PID 2520 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Users\Admin\AppData\Local\Temp\hybri.exe
PID 2520 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Users\Admin\AppData\Local\Temp\hybri.exe
PID 2520 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Users\Admin\AppData\Local\Temp\hybri.exe
PID 2520 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Users\Admin\AppData\Local\Temp\hybri.exe
PID 2520 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Users\Admin\AppData\Local\Temp\hybri.exe
PID 2520 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Users\Admin\AppData\Local\Temp\hybri.exe
PID 2520 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Users\Admin\AppData\Local\Temp\hybri.exe
PID 2520 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Users\Admin\AppData\Local\Temp\hybri.exe
PID 2520 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Users\Admin\AppData\Local\Temp\hybri.exe
PID 2520 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Users\Admin\AppData\Local\Temp\hybri.exe
PID 2520 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Users\Admin\AppData\Local\Temp\hybri.exe
PID 2652 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Windows\SysWOW64\cmd.exe
PID 676 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 676 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 676 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 676 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 676 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 676 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 676 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 676 wrote to memory of 1524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 676 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 676 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 676 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 676 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2652 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 1972 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1972 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1972 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1972 wrote to memory of 944 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1972 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1972 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1972 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1972 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1972 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1972 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1972 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 1972 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\hybri.exe

"C:\Users\Admin\AppData\Local\Temp\hybri.exe"

C:\Users\Admin\AppData\Local\Temp\hybri.exe

"C:\Users\Admin\AppData\Local\Temp\hybri.exe"

C:\Users\Admin\AppData\Local\Temp\hybri.exe

"C:\Users\Admin\AppData\Local\Temp\hybri.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile name=65001 key=clear

C:\Windows\SysWOW64\findstr.exe

findstr Key

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 api.anonfiles.com udp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp

Files

memory/2520-0-0x0000000074CE0000-0x00000000753CE000-memory.dmp

memory/2520-1-0x00000000001E0000-0x0000000000316000-memory.dmp

memory/2520-2-0x0000000000440000-0x0000000000446000-memory.dmp

memory/2520-3-0x0000000005EB0000-0x0000000005EF0000-memory.dmp

memory/2520-5-0x00000000004B0000-0x00000000004BA000-memory.dmp

memory/2652-6-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2652-7-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2652-8-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2652-10-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2652-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2652-14-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2520-17-0x0000000074CE0000-0x00000000753CE000-memory.dmp

memory/2652-16-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2652-19-0x0000000000400000-0x000000000051C000-memory.dmp

memory/2652-20-0x0000000074CE0000-0x00000000753CE000-memory.dmp

memory/2652-21-0x0000000000740000-0x000000000074A000-memory.dmp

memory/2652-22-0x0000000000840000-0x000000000085A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB6B4.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\TarB714.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\Local\Temp\passwords.txt

MD5 68b329da9893e34099c7d8ad5cb9c940
SHA1 adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA256 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512 be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

memory/2652-73-0x0000000074CE0000-0x00000000753CE000-memory.dmp

memory/2652-74-0x00000000008C0000-0x0000000000900000-memory.dmp

memory/2652-75-0x0000000074CE0000-0x00000000753CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-04 09:09

Reported

2023-09-04 09:47

Platform

win10v2004-20230831-en

Max time kernel

2221s

Max time network

2146s

Command Line

C:\Windows\System32\svchost.exe -k netsvcs -p

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1980726966-773384374-2129981223-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Services = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update Folder\\Windows Update.exe" C:\Users\Admin\AppData\Local\Temp\hybri.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{09F3CF3C-389C-4FDA-823F-6A1FDCD9AB9F}.catalogItem C:\Windows\System32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 400 set thread context of 2220 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Users\Admin\AppData\Local\Temp\hybri.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Process Hacker 2\is-CJMO7.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\is-NNG0F.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-Q24RG.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-38IMK.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\Updater.dll C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\is-C2G3V.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\is-DT7M3.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\is-QEH6V.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-060QS.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\is-A7DP0.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-98361.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-BIS4E.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\UserNotes.dll C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\x86\ProcessHacker.exe C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\x86\is-P1PQV.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\x86\plugins\DotNetTools.dll C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\is-QD63R.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\is-1PBOA.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-L4RRV.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\ProcessHacker.exe C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\is-8T792.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-JI752.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-EEFRQ.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-STJK0.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-NN13S.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\x86\plugins\is-4N2KO.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\is-NJFDO.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-FM5SU.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File created C:\Program Files\Process Hacker 2\plugins\is-9Q532.tmp C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\peview.exe C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
File opened for modification C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\svchost.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\svchost.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\System32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1980726966-773384374-2129981223-1000\{1A667D45-1717-4CD9-9F34-205176883520} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
Token: 33 N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A
N/A N/A C:\Program Files\Process Hacker 2\ProcessHacker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 400 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Users\Admin\AppData\Local\Temp\hybri.exe
PID 400 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Users\Admin\AppData\Local\Temp\hybri.exe
PID 400 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Users\Admin\AppData\Local\Temp\hybri.exe
PID 400 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Users\Admin\AppData\Local\Temp\hybri.exe
PID 400 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Users\Admin\AppData\Local\Temp\hybri.exe
PID 400 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Users\Admin\AppData\Local\Temp\hybri.exe
PID 400 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Users\Admin\AppData\Local\Temp\hybri.exe
PID 400 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Users\Admin\AppData\Local\Temp\hybri.exe
PID 2220 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 3816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4920 wrote to memory of 3816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4920 wrote to memory of 3816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4920 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4920 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4920 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4920 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4920 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4920 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2220 wrote to memory of 5368 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 5368 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 5368 N/A C:\Users\Admin\AppData\Local\Temp\hybri.exe C:\Windows\SysWOW64\cmd.exe
PID 5368 wrote to memory of 5428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5368 wrote to memory of 5428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5368 wrote to memory of 5428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 5368 wrote to memory of 5444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5368 wrote to memory of 5444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5368 wrote to memory of 5444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 5368 wrote to memory of 5452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5368 wrote to memory of 5452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5368 wrote to memory of 5452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5204 wrote to memory of 5216 N/A C:\Users\Admin\Downloads\processhacker-2.39-setup.exe C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp
PID 5204 wrote to memory of 5216 N/A C:\Users\Admin\Downloads\processhacker-2.39-setup.exe C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp
PID 5204 wrote to memory of 5216 N/A C:\Users\Admin\Downloads\processhacker-2.39-setup.exe C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp
PID 4364 wrote to memory of 3884 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 3884 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4364 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Users\Admin\AppData\Local\Temp\hybri.exe

"C:\Users\Admin\AppData\Local\Temp\hybri.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8611746f8,0x7ff861174708,0x7ff861174718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3864 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3864 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\hybri.exe

"C:\Users\Admin\AppData\Local\Temp\hybri.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\findstr.exe

findstr Key

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile name=65001 key=clear

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5276 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7420 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7832 /prefetch:8

C:\Users\Admin\Downloads\processhacker-2.39-setup.exe

"C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"

C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp" /SL5="$1500E4,1874675,150016,C:\Users\Admin\Downloads\processhacker-2.39-setup.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,9301072860852725909,11371460634897694351,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1

C:\Program Files\Process Hacker 2\ProcessHacker.exe

"C:\Program Files\Process Hacker 2\ProcessHacker.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8611746f8,0x7ff861174708,0x7ff861174718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2588 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8220 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8088 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8076 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8016 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7768 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7764 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1736 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7256 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7800 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=8256 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8060 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5104 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8444 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7864 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7760 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1820 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,8132234247784512934,3728707166728155935,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7884 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 88.221.24.113:443 www.bing.com tcp
US 8.8.8.8:53 113.24.221.88.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
NL 88.221.24.120:443 th.bing.com tcp
NL 88.221.24.120:443 th.bing.com tcp
NL 88.221.24.74:443 r.bing.com tcp
NL 88.221.24.74:443 r.bing.com tcp
US 8.8.8.8:53 120.24.221.88.in-addr.arpa udp
US 8.8.8.8:53 74.24.221.88.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 242.44.101.158.in-addr.arpa udp
US 8.8.8.8:53 processhacker.sourceforge.io udp
US 172.64.148.49:443 processhacker.sourceforge.io tcp
US 172.64.148.49:443 processhacker.sourceforge.io tcp
US 8.8.8.8:53 sourceforge.net udp
US 104.18.37.111:443 sourceforge.net tcp
US 8.8.8.8:53 49.148.64.172.in-addr.arpa udp
US 8.8.8.8:53 8.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 111.37.18.104.in-addr.arpa udp
US 8.8.8.8:53 api.anonfiles.com udp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
NL 142.250.102.157:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 157.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 a.fsdn.com udp
US 104.18.40.209:443 a.fsdn.com tcp
US 104.18.40.209:443 a.fsdn.com tcp
US 104.18.40.209:443 a.fsdn.com tcp
US 104.18.40.209:443 a.fsdn.com tcp
US 104.18.40.209:443 a.fsdn.com tcp
US 104.18.40.209:443 a.fsdn.com tcp
US 104.18.40.209:443 a.fsdn.com tcp
US 104.18.40.209:443 a.fsdn.com tcp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 104.16.57.101:443 static.cloudflareinsights.com tcp
US 8.8.8.8:53 ib.adnxs.com udp
US 8.8.8.8:53 prg.smartadserver.com udp
US 8.8.8.8:53 hbopenbid.pubmatic.com udp
US 8.8.8.8:53 btlr.sharethrough.com udp
US 8.8.8.8:53 ap.lijit.com udp
FR 185.86.139.95:443 prg.smartadserver.com tcp
FR 185.86.139.95:443 prg.smartadserver.com tcp
FR 185.86.139.95:443 prg.smartadserver.com tcp
FR 185.86.139.95:443 prg.smartadserver.com tcp
DE 35.156.181.219:443 btlr.sharethrough.com tcp
DE 35.156.181.219:443 btlr.sharethrough.com tcp
DE 35.156.181.219:443 btlr.sharethrough.com tcp
DE 35.156.181.219:443 btlr.sharethrough.com tcp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 btloader.com udp
US 8.8.8.8:53 analytics.slashdotmedia.com udp
US 8.8.8.8:53 fastlane.rubiconproject.com udp
NL 216.52.2.91:443 ap.lijit.com tcp
NL 185.89.210.46:443 ib.adnxs.com tcp
GB 185.64.190.77:443 hbopenbid.pubmatic.com tcp
NL 213.19.162.21:443 fastlane.rubiconproject.com tcp
US 216.105.38.9:443 analytics.slashdotmedia.com tcp
US 104.26.6.139:443 btloader.com tcp
US 8.8.8.8:53 c.sf-syn.com udp
US 172.64.154.159:443 c.sf-syn.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
US 8.8.8.8:53 209.40.18.104.in-addr.arpa udp
US 8.8.8.8:53 101.57.16.104.in-addr.arpa udp
US 8.8.8.8:53 219.181.156.35.in-addr.arpa udp
US 8.8.8.8:53 95.139.86.185.in-addr.arpa udp
US 8.8.8.8:53 91.2.52.216.in-addr.arpa udp
US 8.8.8.8:53 46.210.89.185.in-addr.arpa udp
US 8.8.8.8:53 77.190.64.185.in-addr.arpa udp
US 8.8.8.8:53 21.162.19.213.in-addr.arpa udp
US 8.8.8.8:53 139.6.26.104.in-addr.arpa udp
US 8.8.8.8:53 9.38.105.216.in-addr.arpa udp
US 8.8.8.8:53 112.211.227.13.in-addr.arpa udp
US 8.8.8.8:53 159.154.64.172.in-addr.arpa udp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
DE 172.217.23.194:443 securepubads.g.doubleclick.net tcp
US 8.8.8.8:53 api.btloader.com udp
US 130.211.23.194:443 api.btloader.com tcp
US 8.8.8.8:53 ad-delivery.net udp
US 104.26.3.70:443 ad-delivery.net tcp
US 104.26.3.70:443 ad-delivery.net tcp
US 8.8.8.8:53 snap.licdn.com udp
US 2.18.121.75:443 snap.licdn.com tcp
US 130.211.23.194:443 api.btloader.com udp
US 8.8.8.8:53 ml314.com udp
US 34.111.234.236:443 ml314.com tcp
DE 172.217.23.194:443 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 ads.pro-market.net udp
US 8.8.8.8:53 tag.crsspxl.com udp
US 2.18.121.72:443 ads.pro-market.net tcp
US 34.111.234.236:443 ml314.com udp
US 8.8.8.8:53 169.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 194.23.211.130.in-addr.arpa udp
US 34.232.140.51:443 tag.crsspxl.com tcp
US 8.8.8.8:53 198.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 70.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 75.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 236.234.111.34.in-addr.arpa udp
US 8.8.8.8:53 512fbd6a34e97e81edb14d15b460ac52.safeframe.googlesyndication.com udp
NL 142.250.179.161:443 512fbd6a34e97e81edb14d15b460ac52.safeframe.googlesyndication.com tcp
US 8.8.8.8:53 72.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 51.140.232.34.in-addr.arpa udp
US 8.8.8.8:53 pbid.pro-market.net udp
US 107.178.240.89:443 pbid.pro-market.net tcp
US 8.8.8.8:53 cdn.linkedin.oribi.io udp
US 18.239.69.58:443 cdn.linkedin.oribi.io tcp
US 8.8.8.8:53 px.ads.linkedin.com udp
US 13.107.42.14:443 px.ads.linkedin.com tcp
US 8.8.8.8:53 ads.pubmatic.com udp
GB 23.44.232.202:443 ads.pubmatic.com tcp
US 8.8.8.8:53 161.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 89.240.178.107.in-addr.arpa udp
US 8.8.8.8:53 58.69.239.18.in-addr.arpa udp
US 8.8.8.8:53 101.14.18.104.in-addr.arpa udp
US 8.8.8.8:53 14.42.107.13.in-addr.arpa udp
US 8.8.8.8:53 cdn.ampproject.org udp
NL 142.250.179.161:443 cdn.ampproject.org tcp
NL 142.250.179.161:443 cdn.ampproject.org tcp
NL 142.250.179.161:443 cdn.ampproject.org tcp
NL 142.250.179.161:443 cdn.ampproject.org tcp
NL 142.250.179.161:443 cdn.ampproject.org tcp
US 8.8.8.8:53 tpc.googlesyndication.com udp
NL 142.251.36.1:443 tpc.googlesyndication.com tcp
NL 142.251.36.1:443 tpc.googlesyndication.com tcp
US 8.8.8.8:53 image6.pubmatic.com udp
GB 185.64.190.78:443 image6.pubmatic.com tcp
US 8.8.8.8:53 simage4.pubmatic.com udp
US 104.36.113.111:443 simage4.pubmatic.com tcp
US 8.8.8.8:53 202.232.44.23.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
NL 142.251.36.1:443 tpc.googlesyndication.com udp
US 8.8.8.8:53 78.190.64.185.in-addr.arpa udp
US 8.8.8.8:53 111.113.36.104.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.250.179.130:443 googleads.g.doubleclick.net tcp
NL 142.251.36.1:443 tpc.googlesyndication.com udp
US 8.8.8.8:53 www.googletagservices.com udp
DE 172.217.23.194:443 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 130.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 downloads.sourceforge.net udp
US 204.68.111.105:443 downloads.sourceforge.net tcp
US 204.68.111.105:443 downloads.sourceforge.net tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 gigenet.dl.sourceforge.net udp
US 69.65.16.142:443 gigenet.dl.sourceforge.net tcp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 105.111.68.204.in-addr.arpa udp
US 8.8.8.8:53 142.16.65.69.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 126.22.238.8.in-addr.arpa udp
NL 185.89.210.46:443 ib.adnxs.com tcp
NL 216.52.2.91:443 ap.lijit.com tcp
DE 35.156.181.219:443 btlr.sharethrough.com tcp
FR 185.86.139.95:443 prg.smartadserver.com tcp
FR 185.86.139.95:443 prg.smartadserver.com tcp
FR 185.86.139.95:443 prg.smartadserver.com tcp
FR 185.86.139.95:443 prg.smartadserver.com tcp
FR 185.86.139.95:443 prg.smartadserver.com tcp
FR 185.86.139.95:443 prg.smartadserver.com tcp
NL 213.19.162.21:443 fastlane.rubiconproject.com tcp
US 216.105.38.9:443 analytics.slashdotmedia.com tcp
US 8.8.8.8:53 wj32.org udp
US 162.243.25.33:443 wj32.org tcp
US 8.8.8.8:53 254.210.247.8.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 processhacker.sourceforge.net udp
US 104.18.37.111:80 processhacker.sourceforge.net tcp
US 104.18.37.111:443 processhacker.sourceforge.net tcp
US 8.8.8.8:53 processhacker.sourceforge.io udp
US 104.18.39.207:443 processhacker.sourceforge.io tcp
US 8.8.8.8:53 207.39.18.104.in-addr.arpa udp
NL 88.221.24.49:443 www.bing.com tcp
NL 88.221.24.49:443 www.bing.com udp
US 8.8.8.8:53 49.24.221.88.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 140.82.113.4:443 github.com tcp
US 140.82.113.4:443 github.com tcp
US 8.8.8.8:53 4.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.109.154:443 github.githubassets.com tcp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 154.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.112.21:443 collector.github.com tcp
US 185.199.109.154:443 github.githubassets.com tcp
US 8.8.8.8:53 api.github.com udp
US 140.82.112.21:443 collector.github.com tcp
US 140.82.112.5:443 api.github.com tcp
US 8.8.8.8:53 21.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 5.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
GB 2.22.249.212:443 www.bing.com udp
US 8.8.8.8:53 212.249.22.2.in-addr.arpa udp
US 8.8.8.8:53 imgur.com udp
US 199.232.196.193:443 imgur.com tcp
US 199.232.196.193:443 imgur.com tcp
US 8.8.8.8:53 s.imgur.com udp
NL 199.232.148.193:443 s.imgur.com tcp
NL 199.232.148.193:443 s.imgur.com tcp
NL 199.232.148.193:443 s.imgur.com tcp
US 8.8.8.8:53 js.media-lab.ai udp
US 8.8.8.8:53 ced.sascdn.com udp
US 2.18.121.77:443 ced.sascdn.com tcp
NL 13.227.219.98:443 js.media-lab.ai tcp
US 8.8.8.8:53 ced-ns.sascdn.com udp
US 8.8.8.8:53 d3c8j8snkzfr1n.cloudfront.net udp
US 93.184.216.16:443 ced-ns.sascdn.com tcp
US 104.26.6.139:443 btloader.com tcp
US 8.8.8.8:53 browser.sentry-cdn.com udp
US 8.8.8.8:53 connect.facebook.net udp
US 151.101.194.217:443 browser.sentry-cdn.com tcp
US 8.8.8.8:53 stretchsquirrel.com udp
US 8.8.8.8:53 193.196.232.199.in-addr.arpa udp
US 8.8.8.8:53 193.148.232.199.in-addr.arpa udp
GB 157.240.240.1:443 connect.facebook.net tcp
US 8.8.8.8:53 77.121.18.2.in-addr.arpa udp
US 18.239.63.144:443 d3c8j8snkzfr1n.cloudfront.net tcp
US 8.8.8.8:53 98.219.227.13.in-addr.arpa udp
US 8.8.8.8:53 sb.scorecardresearch.com udp
US 8.8.8.8:53 ads.assemblyexchange.com udp
US 8.8.8.8:53 id5-sync.com udp
US 18.65.39.56:443 sb.scorecardresearch.com tcp
US 34.160.128.137:443 ads.assemblyexchange.com tcp
DE 141.95.98.65:443 id5-sync.com tcp
US 34.110.240.68:443 stretchsquirrel.com tcp
US 104.26.3.70:443 ad-delivery.net tcp
US 130.211.23.194:443 api.btloader.com udp
US 130.211.23.194:443 api.btloader.com tcp
US 34.160.128.137:443 ads.assemblyexchange.com udp
US 8.8.8.8:53 i.clean.gg udp
US 34.95.69.49:443 i.clean.gg tcp
GB 157.240.240.1:443 connect.facebook.net udp
US 34.95.69.49:443 i.clean.gg udp
US 8.8.8.8:53 217.194.101.151.in-addr.arpa udp
US 8.8.8.8:53 1.240.240.157.in-addr.arpa udp
US 8.8.8.8:53 56.39.65.18.in-addr.arpa udp
US 8.8.8.8:53 137.128.160.34.in-addr.arpa udp
US 8.8.8.8:53 68.240.110.34.in-addr.arpa udp
US 8.8.8.8:53 65.98.95.141.in-addr.arpa udp
US 8.8.8.8:53 49.69.95.34.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 t.imgur.com udp
NL 199.232.148.193:443 t.imgur.com tcp
US 8.8.8.8:53 api.imgur.com udp
US 8.8.8.8:53 eb2.3lift.com udp
US 8.8.8.8:53 sync.1rx.io udp
US 8.8.8.8:53 xeno-soswcrde4a-uc.a.run.app udp
US 199.127.204.171:443 sync.1rx.io tcp
US 216.239.34.53:443 xeno-soswcrde4a-uc.a.run.app tcp
US 13.248.245.213:443 eb2.3lift.com tcp
US 8.8.8.8:53 static.adsafeprotected.com udp
US 18.239.50.77:443 static.adsafeprotected.com tcp
US 216.239.34.53:443 xeno-soswcrde4a-uc.a.run.app udp
US 18.239.50.77:443 static.adsafeprotected.com tcp
US 8.8.8.8:53 o435357.ingest.sentry.io udp
US 8.8.8.8:53 www.facebook.com udp
US 34.120.195.249:443 o435357.ingest.sentry.io tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 53.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 213.245.248.13.in-addr.arpa udp
US 8.8.8.8:53 171.204.127.199.in-addr.arpa udp
US 8.8.8.8:53 77.50.239.18.in-addr.arpa udp
US 8.8.8.8:53 249.195.120.34.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
NL 157.240.247.35:443 www.facebook.com udp
US 34.160.128.137:443 ads.assemblyexchange.com udp
US 8.8.8.8:53 i.imgur.com udp
US 8.8.8.8:53 api.rlcdn.com udp
US 34.120.155.137:443 api.rlcdn.com tcp
US 34.110.240.68:443 stretchsquirrel.com udp
US 8.8.8.8:53 www9.smartadserver.com udp
FR 217.182.178.225:443 www9.smartadserver.com tcp
US 8.8.8.8:53 137.155.120.34.in-addr.arpa udp
US 8.8.8.8:53 225.178.182.217.in-addr.arpa udp
US 8.8.8.8:53 p.imgur.com udp
US 8.8.8.8:53 secure-assets.rubiconproject.com udp
HK 23.42.175.200:443 secure-assets.rubiconproject.com tcp
US 8.8.8.8:53 eus.rubiconproject.com udp
NL 104.85.2.117:443 eus.rubiconproject.com tcp
US 8.8.8.8:53 creatives.sascdn.com udp
US 2.18.121.69:443 creatives.sascdn.com tcp
US 2.18.121.69:443 creatives.sascdn.com tcp
US 8.8.8.8:53 ssc-cms.33across.com udp
US 8.8.8.8:53 ib.adnxs.com udp
US 8.8.8.8:53 sync.bfmio.com udp
US 8.8.8.8:53 pixel-sync.sitescout.com udp
US 8.8.8.8:53 rtb.gumgum.com udp
US 8.8.8.8:53 sync.inmobi.com udp
US 67.202.105.21:443 ssc-cms.33across.com tcp
NL 185.89.210.212:443 ib.adnxs.com tcp
US 3.85.155.61:443 sync.bfmio.com tcp
NL 98.98.134.242:443 pixel-sync.sitescout.com tcp
US 3.227.83.44:443 rtb.gumgum.com tcp
US 8.8.8.8:53 200.175.42.23.in-addr.arpa udp
US 8.8.8.8:53 117.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 20.127.253.7:443 sync.inmobi.com tcp
US 8.8.8.8:53 de.tynt.com udp
US 8.8.8.8:53 242.134.98.98.in-addr.arpa udp
US 8.8.8.8:53 44.83.227.3.in-addr.arpa udp
US 8.8.8.8:53 61.155.85.3.in-addr.arpa udp
US 8.8.8.8:53 212.210.89.185.in-addr.arpa udp
US 8.8.8.8:53 7.253.127.20.in-addr.arpa udp
US 8.8.8.8:53 21.105.202.67.in-addr.arpa udp
FR 217.182.178.225:443 www9.smartadserver.com tcp
US 67.202.105.31:443 de.tynt.com tcp
US 8.8.8.8:53 sync-tm.everesttech.net udp
US 8.8.8.8:53 cm.g.doubleclick.net udp
US 151.101.2.49:443 sync-tm.everesttech.net tcp
US 8.8.8.8:53 ads.pubmatic.com udp
US 8.8.8.8:53 match.adsrvr.org udp
DE 172.217.23.194:443 cm.g.doubleclick.net tcp
US 8.8.8.8:53 secure.adnxs.com udp
US 8.8.8.8:53 x.bidswitch.net udp
US 8.8.8.8:53 tg.socdm.com udp
US 8.8.8.8:53 cs.admanmedia.com udp
US 8.8.8.8:53 creativecdn.com udp
US 8.8.8.8:53 hde.tynt.com udp
DE 18.196.96.246:443 x.bidswitch.net tcp
DE 18.196.96.246:443 x.bidswitch.net tcp
FR 104.80.22.145:443 ads.pubmatic.com tcp
US 52.223.40.198:443 match.adsrvr.org tcp
US 8.8.8.8:53 sync.outbrain.com udp
US 8.8.8.8:53 us-u.openx.net udp
US 8.8.8.8:53 sync.srv.stackadapt.com udp
US 8.8.8.8:53 pr-bh.ybp.yahoo.com udp
US 8.8.8.8:53 sync.ipredictive.com udp
US 8.8.8.8:53 49.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 31.105.202.67.in-addr.arpa udp
US 8.8.8.8:53 ad.360yield.com udp
US 8.8.8.8:53 b1sync.zemanta.com udp
JP 202.241.208.53:443 tg.socdm.com tcp
US 80.77.87.166:443 cs.admanmedia.com tcp
US 64.74.236.31:443 sync.outbrain.com tcp
US 52.44.35.59:443 sync.srv.stackadapt.com tcp
US 35.244.159.8:443 us-u.openx.net tcp
NL 185.184.8.90:443 creativecdn.com tcp
US 52.204.19.136:443 sync.ipredictive.com tcp
US 64.74.236.31:443 sync.outbrain.com tcp
US 35.244.159.8:443 us-u.openx.net tcp
US 52.44.35.59:443 sync.srv.stackadapt.com tcp
US 52.204.19.136:443 sync.ipredictive.com tcp
US 8.8.8.8:53 b1sync.zemanta.com tcp
US 8.8.8.8:53 match.deepintent.com udp
US 34.206.73.40:443 ad.360yield.com tcp
IE 54.73.141.177:443 pr-bh.ybp.yahoo.com tcp
US 70.42.32.127:443 b1sync.zemanta.com tcp
US 216.239.34.53:443 xeno-soswcrde4a-uc.a.run.app udp
US 169.197.150.7:443 match.deepintent.com tcp
US 8.8.8.8:53 usersync.gumgum.com udp
US 169.197.150.7:443 match.deepintent.com tcp
US 8.8.8.8:53 246.96.196.18.in-addr.arpa udp
US 8.8.8.8:53 198.40.223.52.in-addr.arpa udp
US 8.8.8.8:53 145.22.80.104.in-addr.arpa udp
US 8.8.8.8:53 8.159.244.35.in-addr.arpa udp
US 8.8.8.8:53 90.8.184.185.in-addr.arpa udp
US 8.8.8.8:53 166.87.77.80.in-addr.arpa udp
US 8.8.8.8:53 59.35.44.52.in-addr.arpa udp
US 8.8.8.8:53 136.19.204.52.in-addr.arpa udp
US 8.8.8.8:53 31.236.74.64.in-addr.arpa udp
US 8.8.8.8:53 177.141.73.54.in-addr.arpa udp
US 8.8.8.8:53 40.73.206.34.in-addr.arpa udp
US 8.8.8.8:53 127.32.42.70.in-addr.arpa udp
US 3.213.224.199:443 usersync.gumgum.com tcp
US 8.8.8.8:53 53.208.241.202.in-addr.arpa udp
US 8.8.8.8:53 bh.contextweb.com udp
US 198.148.27.131:443 bh.contextweb.com tcp
US 8.8.8.8:53 ssbsync.smartadserver.com udp
FR 185.86.139.103:443 ssbsync.smartadserver.com tcp
US 8.8.8.8:53 7.150.197.169.in-addr.arpa udp
US 8.8.8.8:53 199.224.213.3.in-addr.arpa udp
US 8.8.8.8:53 131.27.148.198.in-addr.arpa udp
US 8.8.8.8:53 103.139.86.185.in-addr.arpa udp
GB 2.22.249.212:443 www.bing.com udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
NL 88.221.24.27:443 r.bing.com tcp
NL 88.221.24.27:443 r.bing.com tcp
NL 88.221.24.80:443 th.bing.com tcp
NL 88.221.24.80:443 th.bing.com tcp
NL 88.221.24.27:443 r.bing.com udp
NL 88.221.24.80:443 th.bing.com udp
US 8.8.8.8:53 27.24.221.88.in-addr.arpa udp
US 8.8.8.8:53 80.24.221.88.in-addr.arpa udp
US 8.8.8.8:53 login.microsoftonline.com udp
IE 20.190.159.73:443 login.microsoftonline.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
NL 88.221.24.65:443 www.bing.com udp
US 8.8.8.8:53 65.24.221.88.in-addr.arpa udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
NL 88.221.24.81:443 th.bing.com udp
NL 88.221.24.129:443 r.bing.com udp
NL 88.221.24.129:443 r.bing.com udp
US 8.8.8.8:53 81.24.221.88.in-addr.arpa udp
US 8.8.8.8:53 129.24.221.88.in-addr.arpa udp
US 8.8.8.8:53 ghaph.com udp
US 188.114.97.0:443 ghaph.com tcp
US 188.114.97.0:443 ghaph.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 188.114.97.0:443 ghaph.com udp
US 8.8.8.8:53 vitals.vercel-insights.com udp
US 54.187.186.141:443 vitals.vercel-insights.com tcp
US 54.187.186.141:443 vitals.vercel-insights.com tcp
US 8.8.8.8:53 141.186.187.54.in-addr.arpa udp
US 162.159.128.233:443 discord.com udp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 8.8.8.8:53 1.80.190.35.in-addr.arpa udp
US 162.159.128.233:443 discord.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
NL 88.221.24.89:443 th.bing.com udp
NL 88.221.24.67:443 r.bing.com udp
NL 88.221.24.67:443 r.bing.com udp
US 8.8.8.8:53 89.24.221.88.in-addr.arpa udp
US 8.8.8.8:53 67.24.221.88.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 140.82.113.4:443 github.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 repository-images.githubusercontent.com udp
US 8.8.8.8:53 collector.github.com udp
US 140.82.113.21:443 collector.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 140.82.113.6:443 api.github.com tcp
US 8.8.8.8:53 6.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 21.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 webhook-deleter.netlify.app udp
US 54.84.236.175:443 webhook-deleter.netlify.app tcp
US 54.84.236.175:443 webhook-deleter.netlify.app tcp
US 8.8.8.8:53 175.236.84.54.in-addr.arpa udp
US 162.159.128.233:443 discord.com udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp

Files

\??\pipe\LOCAL\crashpad_4324_SZZSEIJCSOPQNAXJ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/400-2-0x0000000075020000-0x00000000757D0000-memory.dmp

memory/400-3-0x00000000005A0000-0x00000000006D6000-memory.dmp

memory/400-10-0x00000000051D0000-0x00000000051E0000-memory.dmp

memory/400-11-0x00000000059F0000-0x0000000005F94000-memory.dmp

memory/400-12-0x0000000005540000-0x00000000055D2000-memory.dmp

memory/400-13-0x00000000055E0000-0x000000000567C000-memory.dmp

memory/2220-17-0x0000000000400000-0x000000000051C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hybri.exe.log

MD5 8cf94b5356be60247d331660005941ec
SHA1 fdedb361f40f22cb6a086c808fc0056d4e421131
SHA256 52a5b2d36f2b72cb02c695cf7ef46444dda73d4ea82a73e0894c805fa9987bc0
SHA512 b886dfc8bf03f8627f051fb6e2ac40ae2e7713584695a365728eb2e2c87217830029aa35bd129c642fa03dde3f7a7dd5690b16248676be60a6bb5f497fb23651

memory/2220-23-0x0000000075020000-0x00000000757D0000-memory.dmp

memory/400-22-0x0000000075020000-0x00000000757D0000-memory.dmp

memory/2220-24-0x0000000005540000-0x0000000005550000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/2220-38-0x0000000005D20000-0x0000000005D3A000-memory.dmp

memory/2220-43-0x0000000005DB0000-0x0000000005E16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\passwords.txt

MD5 68b329da9893e34099c7d8ad5cb9c940
SHA1 adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA256 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512 be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

memory/2220-122-0x0000000075020000-0x00000000757D0000-memory.dmp

memory/2220-150-0x0000000007480000-0x0000000007492000-memory.dmp

memory/2220-153-0x0000000007440000-0x000000000747C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 1d69ec93538070a8c6360b0bc6f6228c
SHA1 edadd8686e86bc25e830af10fcd691ddf8880bfb
SHA256 3da2404d7709a8e2b39771abe2554e3e23ee6b5a3ddb37f0425b37b26b9d0bb7
SHA512 d88a932269cc3879fefe6cf152cb6bed263d8596c57df90f5801caa79df10c568f8416fc09d8da49c07c1133450e1ab6af68a09998239c0256a238af3728866d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58748f.TMP

MD5 5e6bf2ed1e370d88afa559b9e2ddb470
SHA1 ffc988ac7c51c0b5efd09bbac3873908301fdf61
SHA256 2cc6aca7f79206d466ebf2c2ea5be9fc0181296c2bf69686f3a238a29cea4be4
SHA512 c6835e96c7318f8817bb07d0893292abff7fd59876295d2cfb937d3d10e2f20a3ce8d228916d9bed1e6830bb0f3b8e1b370814eaa050eecae1ba36846191db81

memory/5204-164-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp

MD5 1c96ed29e0136825e06f037bf10b2419
SHA1 b74a55279474253639bebf9c92f10f947145ff30
SHA256 b10cf8cdf541ca0dd6df79e66fb4b0854dcac717aba034ba0c4961bff92fd021
SHA512 0e74854d9de4e3944b2cff9b5de7eb19fdec1fee6c9576cae6cd81741adf84eac421cb743b1df30183f645ffe849357b6a85b5be8d7f6e2efe289bbe4573e177

C:\Users\Admin\AppData\Local\Temp\is-CL4RI.tmp\processhacker-2.39-setup.tmp

MD5 1c96ed29e0136825e06f037bf10b2419
SHA1 b74a55279474253639bebf9c92f10f947145ff30
SHA256 b10cf8cdf541ca0dd6df79e66fb4b0854dcac717aba034ba0c4961bff92fd021
SHA512 0e74854d9de4e3944b2cff9b5de7eb19fdec1fee6c9576cae6cd81741adf84eac421cb743b1df30183f645ffe849357b6a85b5be8d7f6e2efe289bbe4573e177

memory/5216-170-0x0000000002120000-0x0000000002121000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

MD5 87e8230a9ca3f0c5ccfa56f70276e2f2
SHA1 eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7
SHA256 e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9
SHA512 37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 c53e5c5d464c115e70f867dae2d75afe
SHA1 87bacd5bda64fc9e352f5303a16f2462167f932a
SHA256 e588fdab8ca0b3691e820308a0ee720a5cf896b4dbf5b489307c0d570e1337c4
SHA512 913a36a9f86b5247f0ca01d78f1d42182c6f2041d97f7a08f0182d0600337a32546c045d2b28fdc01bcd21e5dfe9d870e97886a5464969ef363394e2e5838a78

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 6e294451d71c389afb2d6e1507fa363e
SHA1 6c6784ba91cbef15c08aae89418dfdc8ef6acc5f
SHA256 ff0ca7b8f2d804e972924509d721feb720dff9e7e813f0011b9a732a3af7c9bc
SHA512 5de092f826e06b60ce0b4c62147125fece60de34a413a9249fe6dcce8d971ecb66e2408af093b253e5b18f7de483ced3a48e39266e67c48dc25d8c08546f2eb6

C:\Program Files\Process Hacker 2\ProcessHacker.exe

MD5 b365af317ae730a67c936f21432b9c71
SHA1 a0bdfac3ce1880b32ff9b696458327ce352e3b1d
SHA256 bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4
SHA512 cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

memory/5204-287-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5216-289-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/5216-290-0x0000000002120000-0x0000000002121000-memory.dmp

memory/5216-293-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/5204-294-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Program Files\Process Hacker 2\ProcessHacker.exe

MD5 b365af317ae730a67c936f21432b9c71
SHA1 a0bdfac3ce1880b32ff9b696458327ce352e3b1d
SHA256 bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4
SHA512 cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

C:\Program Files\Process Hacker 2\ProcessHacker.exe

MD5 b365af317ae730a67c936f21432b9c71
SHA1 a0bdfac3ce1880b32ff9b696458327ce352e3b1d
SHA256 bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4
SHA512 cc3359e16c6fe905a9e176a87acf4c4ed5e22c29bfca11949799caf8442e00ec0d1679b3d8754dbc3e313528d3e8e82c0ec1941e2c3530b48229c1cb337f6b8b

C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll

MD5 0e8d04159c075f0048b89270d22d2dbb
SHA1 d0fa2367d329909b6c9efcb3cc2c2902d8cf9b22
SHA256 282696487ea5dc781788d5d8477b977f72b7c70f201c2af0cfe7e1a9fd8d749a
SHA512 56440f3feddc124574debfe3789e14d908982d4d8e9516f42fab7db7bcecdd3badd2f75e005016a7b9d87a00d5646b8df722bae8fba3932198babbe5335cf197

C:\Program Files\Process Hacker 2\plugins\WindowExplorer.dll

MD5 0e8d04159c075f0048b89270d22d2dbb
SHA1 d0fa2367d329909b6c9efcb3cc2c2902d8cf9b22
SHA256 282696487ea5dc781788d5d8477b977f72b7c70f201c2af0cfe7e1a9fd8d749a
SHA512 56440f3feddc124574debfe3789e14d908982d4d8e9516f42fab7db7bcecdd3badd2f75e005016a7b9d87a00d5646b8df722bae8fba3932198babbe5335cf197

C:\Program Files\Process Hacker 2\plugins\UserNotes.dll

MD5 e48c789c425f966f5e5ee3187934174f
SHA1 96f85a86a56cbf55ebd547039eb1f8b0db9d9d8d
SHA256 fc9d0d0482c63ab7f238bc157c3c0fed97951ccf2d2e45be45c06c426c72cb52
SHA512 efdb42e4a1993ee6aa5c0c525bd58316d6c92fbc5cebbc3a66a26e2cf0c69fe68d19bc9313656ad1d38c4aef33131924684e226f88ef920e0e2cd607054a857c

C:\Program Files\Process Hacker 2\plugins\UserNotes.dll

MD5 e48c789c425f966f5e5ee3187934174f
SHA1 96f85a86a56cbf55ebd547039eb1f8b0db9d9d8d
SHA256 fc9d0d0482c63ab7f238bc157c3c0fed97951ccf2d2e45be45c06c426c72cb52
SHA512 efdb42e4a1993ee6aa5c0c525bd58316d6c92fbc5cebbc3a66a26e2cf0c69fe68d19bc9313656ad1d38c4aef33131924684e226f88ef920e0e2cd607054a857c

C:\Program Files\Process Hacker 2\plugins\Updater.dll

MD5 6976b57c6391f54dbd2828a45ca81100
SHA1 a8c312a56ede6f4852c34c316c01080762aa5498
SHA256 0c11cdc3765ffb53ba9707b6f99ec17ae4f7334578a935ba7bcbbc9c7bdeed2e
SHA512 54d8b39457f516d921bb907615ff60a46b6031e1444a443c9657e06d78c9fb0f637ae4756bb7b884e4dca2f55902372ad4ddba1d020abe02e0a381702ae270cc

C:\Program Files\Process Hacker 2\plugins\Updater.dll

MD5 6976b57c6391f54dbd2828a45ca81100
SHA1 a8c312a56ede6f4852c34c316c01080762aa5498
SHA256 0c11cdc3765ffb53ba9707b6f99ec17ae4f7334578a935ba7bcbbc9c7bdeed2e
SHA512 54d8b39457f516d921bb907615ff60a46b6031e1444a443c9657e06d78c9fb0f637ae4756bb7b884e4dca2f55902372ad4ddba1d020abe02e0a381702ae270cc

C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll

MD5 3788efff135f8b17a179d02334d505e6
SHA1 d6c965ba09b626d7d157372756ea1ec52a43f6b7
SHA256 5713d40dec146dbc819230daefe1b886fa6d6f6dbd619301bb8899562195cbab
SHA512 215d6c3665323901d41ae5151908c4e084a04a1558617016f0788194304e066410b92943bd6c119339727037ee02cfda893b9baf5603b2870d9fc5ae0c77ca7e

C:\Program Files\Process Hacker 2\plugins\ToolStatus.dll

MD5 3788efff135f8b17a179d02334d505e6
SHA1 d6c965ba09b626d7d157372756ea1ec52a43f6b7
SHA256 5713d40dec146dbc819230daefe1b886fa6d6f6dbd619301bb8899562195cbab
SHA512 215d6c3665323901d41ae5151908c4e084a04a1558617016f0788194304e066410b92943bd6c119339727037ee02cfda893b9baf5603b2870d9fc5ae0c77ca7e

C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll

MD5 37cbfa73883e7e361d3fa67c16d0f003
SHA1 ffa24756cdc37dfd24dc97ba7a42d0399e59960a
SHA256 57c56f7b312dc1f759e6ad039aac3f36ce5130d259eb9faad77239083398308b
SHA512 6e0bfab9ff44f580f302cabd06fc537a9e24432effd94b50ab696b35f57a61772072b7f9045a9e99fa4bf3bc316f43ea25ab6c87517242e7957eb86575203bed

C:\Program Files\Process Hacker 2\plugins\SbieSupport.dll

MD5 37cbfa73883e7e361d3fa67c16d0f003
SHA1 ffa24756cdc37dfd24dc97ba7a42d0399e59960a
SHA256 57c56f7b312dc1f759e6ad039aac3f36ce5130d259eb9faad77239083398308b
SHA512 6e0bfab9ff44f580f302cabd06fc537a9e24432effd94b50ab696b35f57a61772072b7f9045a9e99fa4bf3bc316f43ea25ab6c87517242e7957eb86575203bed

C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll

MD5 12c25fb356e51c3fd81d2d422a66be89
SHA1 7cc763f8dc889a4ec463aaba38f6e6f65dbdbb8c
SHA256 7336d66588bbcfea63351a2eb7c8d83bbd49b5d959ba56a94b1fe2e905a5b5de
SHA512 927d785d03c1ee44b5e784b35a09168978b652f37fb73a1a2eeecd3583c28595fb030e8c1f87ab9a20beac4622775777820d1a2ad7219ba8b9ae8b6fbc4568a0

C:\Program Files\Process Hacker 2\plugins\OnlineChecks.dll

MD5 12c25fb356e51c3fd81d2d422a66be89
SHA1 7cc763f8dc889a4ec463aaba38f6e6f65dbdbb8c
SHA256 7336d66588bbcfea63351a2eb7c8d83bbd49b5d959ba56a94b1fe2e905a5b5de
SHA512 927d785d03c1ee44b5e784b35a09168978b652f37fb73a1a2eeecd3583c28595fb030e8c1f87ab9a20beac4622775777820d1a2ad7219ba8b9ae8b6fbc4568a0

C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll

MD5 d6bed1d6fdbed480e32fdd2dd4c13352
SHA1 544567d030a19e779629eed65d2334827dcda141
SHA256 476aa6af14dd0b268786e32543b9a6917a298d4d90e1015dac6fb2b522cf5d2e
SHA512 89362a7b675651f44649f0ea231f039e0b91aba9f84c91545f15e187c6cbd07bbf3648a4e232dfe5122cf5636e67c458f4f7dab49ed4de3f3a303aa396c41d1c

C:\Program Files\Process Hacker 2\plugins\NetworkTools.dll

MD5 d6bed1d6fdbed480e32fdd2dd4c13352
SHA1 544567d030a19e779629eed65d2334827dcda141
SHA256 476aa6af14dd0b268786e32543b9a6917a298d4d90e1015dac6fb2b522cf5d2e
SHA512 89362a7b675651f44649f0ea231f039e0b91aba9f84c91545f15e187c6cbd07bbf3648a4e232dfe5122cf5636e67c458f4f7dab49ed4de3f3a303aa396c41d1c

C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll

MD5 a46c8bb886e0b9290e5dbc6ca524d61f
SHA1 cfc1b93dc894b27477fc760dfcfb944cb849cb48
SHA256 acd49f2aa36d4efb9c4949e2d3cc2bd7aee384c2ced7aa9e66063da4150fcb00
SHA512 5a4d2e0fa7a1a14bc4c94a0c144bfbfcef1ecabe4dc15f668605d27f37f531934778f53e7377bab0ff83531732dc15e9fc40b16f2d1f7e925429681bd5bdca73

C:\Program Files\Process Hacker 2\plugins\HardwareDevices.dll

MD5 a46c8bb886e0b9290e5dbc6ca524d61f
SHA1 cfc1b93dc894b27477fc760dfcfb944cb849cb48
SHA256 acd49f2aa36d4efb9c4949e2d3cc2bd7aee384c2ced7aa9e66063da4150fcb00
SHA512 5a4d2e0fa7a1a14bc4c94a0c144bfbfcef1ecabe4dc15f668605d27f37f531934778f53e7377bab0ff83531732dc15e9fc40b16f2d1f7e925429681bd5bdca73

C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll

MD5 bc61e6fb02fbbfe16fb43cc9f4e949f1
SHA1 307543fcef62c6f8c037e197703446fcb543424a
SHA256 f2805e0f81513641a440f1a21057a664961c22192cb33fca3870362c8f872d87
SHA512 0bbfe53e1dd933a3080d9775ad890fcbd73f9820885efa6b69e9664261249f34eaae3870f74de8511734fc9a0114f36e1bfc529a032d303a8e3e583e37a506c6

C:\Program Files\Process Hacker 2\plugins\ExtendedTools.dll

MD5 bc61e6fb02fbbfe16fb43cc9f4e949f1
SHA1 307543fcef62c6f8c037e197703446fcb543424a
SHA256 f2805e0f81513641a440f1a21057a664961c22192cb33fca3870362c8f872d87
SHA512 0bbfe53e1dd933a3080d9775ad890fcbd73f9820885efa6b69e9664261249f34eaae3870f74de8511734fc9a0114f36e1bfc529a032d303a8e3e583e37a506c6

C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll

MD5 4858bdb7731bf0b46b247a1f01f4a282
SHA1 de2f9cbcec1e1fa891d9693fb3cadfdd4cfe1f60
SHA256 5ae7c0972fd4e4c4ae14c0103602ca854377fefcbccd86fa68cfc5a6d1f99f60
SHA512 41b39560e15d620733ca29dc37f55a939a653f99686ac86643ccc67fbb807ad95d1996b867319d98506f3b8a30772fff3c3317bbcc205987f48031923f674d9a

C:\Program Files\Process Hacker 2\plugins\ExtendedServices.dll

MD5 4858bdb7731bf0b46b247a1f01f4a282
SHA1 de2f9cbcec1e1fa891d9693fb3cadfdd4cfe1f60
SHA256 5ae7c0972fd4e4c4ae14c0103602ca854377fefcbccd86fa68cfc5a6d1f99f60
SHA512 41b39560e15d620733ca29dc37f55a939a653f99686ac86643ccc67fbb807ad95d1996b867319d98506f3b8a30772fff3c3317bbcc205987f48031923f674d9a

C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll

MD5 be4dc4d2d1d05001ab0bb2bb8659bfad
SHA1 c0ed9e375b447b61c07c0b00c93bb81c87bcfc2e
SHA256 61e8cd8de80a5c0d7ced280fe04ad8387a846a7bf2ee51bcbba96b971c7c1795
SHA512 31389e268fe3bf1175fa3c251ca026f77dc59361b8425c9826f31d18c5174e6de68c6092aef187f2bd2c92d89b3093a660b2fe6189af369293c1117c856b5cdf

C:\Program Files\Process Hacker 2\plugins\ExtendedNotifications.dll

MD5 be4dc4d2d1d05001ab0bb2bb8659bfad
SHA1 c0ed9e375b447b61c07c0b00c93bb81c87bcfc2e
SHA256 61e8cd8de80a5c0d7ced280fe04ad8387a846a7bf2ee51bcbba96b971c7c1795
SHA512 31389e268fe3bf1175fa3c251ca026f77dc59361b8425c9826f31d18c5174e6de68c6092aef187f2bd2c92d89b3093a660b2fe6189af369293c1117c856b5cdf

C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll

MD5 b16ce8ba8e7f0ee83ec1d49f2d0af0a7
SHA1 cdf17a7beb537853fae6214d028754ce98e2e860
SHA256 b4cc0280e2caa0335361172cb7d673f745defc78299ded808426ffbc2458e4d9
SHA512 32de59c95d1690f4221b236376e282c8be1bb7f5d567592b935dcd798b36b80e86da81741c5845fa280386f75f6eafc9bbd41035362984150b134d24aede61eb

C:\Program Files\Process Hacker 2\plugins\DotNetTools.dll

MD5 b16ce8ba8e7f0ee83ec1d49f2d0af0a7
SHA1 cdf17a7beb537853fae6214d028754ce98e2e860
SHA256 b4cc0280e2caa0335361172cb7d673f745defc78299ded808426ffbc2458e4d9
SHA512 32de59c95d1690f4221b236376e282c8be1bb7f5d567592b935dcd798b36b80e86da81741c5845fa280386f75f6eafc9bbd41035362984150b134d24aede61eb

C:\Program Files\Process Hacker 2\ProcessHacker.sig

MD5 2ccb4420d40893846e1f88a2e82834da
SHA1 ef29efec7e3e0616948f9fe1fd016e43b6c971de
SHA256 519c2c2ca0caf00db5b3eb2b79dfe42e6128161c13aeb4b4d8b86fbffc67e3d4
SHA512 b2a000b33d4a9b2e886208fc78aeb3a986f7bd379fb6910da9f6577603aa6e8237cb552eabca70445f37b427419beeff0b061090cb952331b8db322ce2e58bc6

\??\pipe\LOCAL\crashpad_4364_PUIYXDFCLQQOJDXN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e498444011304c645b36e1ee66e9ca87
SHA1 31c7b34bd920c7938bde61d7ca3597b624beebdb
SHA256 b0ee5be38f96298e49b4400ef42d54b7c6787c459ed89b073ce0dccec454f238
SHA512 db7a7a959872a8a7360c365131887e093bf367b0ca1c1b693fc8845772b32a99a89fcdb69a97a7cae8eb2a8e9586c2f3391a651222d2b86ad6f0671e611c0355

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

MD5 3f775429c3d783de84734e52a60b39fe
SHA1 9d3740b7a7bbd8e4ea216d25a55a8e8b74697f06
SHA256 f10a9bab22a1377ff64a11acd2d7c29f07cb016311cf5f054adfa0a233c05e42
SHA512 d94b3542bf26ad11c2ca37ba786cabc9489a848d398b3b0555d4d58029013d36c97d42a1446765fb3c0c15b07b2c66f7d33e8100ad5a13219b887500e1134bf7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

MD5 0269b447aceba7d989e566aaab48daf4
SHA1 f32439d0ea286259f7c2d5b48a846382049a661c
SHA256 b5d27401fd5ee067ad61d2ecde7496c657793330c328d4421756e2488462510b
SHA512 606099a38be37b10a0b322609da54cd6a0cc1b9cafb7db307bfea740f2da5a4854efeaa91237d566eeb7f101b1a901dbeda7922276b7a6116da40fa1f341cef8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

MD5 ff35bd5a03cae9c376d02b830fafea27
SHA1 375247853ace81e30cca0c5e1483552ced415816
SHA256 9ad6c263902bca293f80814b0df09ebebdc55c9681f370d7d8a546c6bc54d2fe
SHA512 35174766da12d308fa0b5dac27c7ee7b50aa46281be7f6ecc2d209676edaf59c4d5a5348876cbfe07977eab654c73bc64ac7b3a21ade1933c3eac435d5f6035f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

MD5 f53cc2e80f017384dc5ca5d7682bba88
SHA1 9310baa35ae32d3e26c350ab43b42c8eabc4d817
SHA256 ebc60a345c8c88e4248ff29c3882cd930ec4ece9e73cca49e533c9b7396631d4
SHA512 fb2deb2e7ad73417fc57d08e59c94acf532a1acb91d133e02ce8814069a597a7ca6ecec68becf2f67a1b7be4c690b58b599b2bfb0c420f69b1f498e85d303806

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d5f9c2225a66827595d61a90b6ca1ab1
SHA1 1a47df687687d07662eb6e9831a5ced88a5f1083
SHA256 93ffbade68d4961cc0341f9cf67b27c8b0068fc7047f701c304108e9acac0afa
SHA512 864a327ee371c475a28f36c3fdc290f04d37726dc1627ef9cd92edbfedd0f7f8a3df7fbd3c3a27de582693441029b55d2ffc8f38066418fc50faf9f8566fcb4f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 487acca263d0f828d3c3f3636749a638
SHA1 8fcdbd3e7e836f54279c35e6cd8c6a95d4b761c1
SHA256 1b23dbde95bb41237bdfeb5bff2c80850acd5ecdbf2a9dff6239bec53c1f2806
SHA512 591e75af80495df9705279a96254d80a6946294f4b2b7e72d1ae55756cff0a0eed5aa3caab401d3f4ef8954b94d5e0528c46cd75a9a4603fdafe680e619dafdc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d72a2d31fd4db3f3f80a585946f88a8a
SHA1 0ebe43477d9983e98d50cc051efe191bdeb0d67a
SHA256 1f75af70a5d8f97d6c18663539e3404b92f26fa5019cae719fb03eaa55151865
SHA512 40dcf971d3af183078e2ae57df440de2fbea429a5ad559bd909654bd6e3f38f6edda28b31fd4259506cd747ce1b7149824dbac929abcffd522d22d43297d3b25

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c8cf8f40219d4d710c331dc12295e9db
SHA1 bcc88586e2d0d43ac23244bc3451ac0f4ed5dd69
SHA256 3fda6008a2171ad0769042113f3ed75139b13d7f379619137d13a97d5c8484cc
SHA512 6462c7188034bb8c8a59f4832a7b4eb9ce543dab5e73523d28bab8ef5c29a127879c0ef372466c7288b4b91fe266783bc71662e95618ff92e93ac4a947c6fecf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2b01d8add84d0e8f1c3cd848dc26fd64
SHA1 a3a65a81749e2e6d7cfc22d48de86ceb526ff2bb
SHA256 2a0b52f5fca5a664eae35872db28de1387fa5f15fddc21e0c11ba5b026a9686f
SHA512 60d6df5380aca30c1c11a8c65100f9fe4b477f7b794a25a067796bea4698f16f616ce38021cb907a4b2cb7344d04f185f8170922087beb1fdb5ba6483487de1f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ef5f01575c9d7cdd70ab201b69e66c8f
SHA1 1d75dc48e069a6fdc14a27903e898a18227f8eb9
SHA256 9fdf6e44c0786addefd04b8ceb5bae1710339c7f7344a83bf96520ea24efed50
SHA512 c4105376ed194aae45e2f6bd683a3b45cb853496fd9b23e39e238d1b7089789ddd5b320ad2d2f0e566dc361a3d14abde9341ce3e3d8b156004b815b4647ad7d6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2f67f76381583fb6da0f8d85e79d48df
SHA1 fd82be866795c7806455060f40f2d3f762b7e35d
SHA256 304895471e822e62cbfca6fdfe2e49cfe017ebb2e1847a3f1965aa5db4feb3a3
SHA512 14711be0ff63197e1f42a6c9988a7ac3c31720e70b8336b23a687939ff9f52581958ece5c894e4a049316689dc4554a87dd9c118dc5799269a22345840962528

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2ef9019619c2cc1a061e2e1ce13e727b
SHA1 86edf2b4d1f613eef3d76b4acde43ca9124dfe62
SHA256 a9a87fd96cbcf0d159dc6c8ba829215b879467b91026bcd85162bfad402ef39e
SHA512 2bee8b359e2a22ff0f035d2f2332ea5c3ec3026a888291f6a61c86dacadfa8423245ce63af2f0025fcaa0a3399bf8b559b755cbbb30bdd74d2cf55a5e8ce5f2d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 72e7d779f58c8579ef559fa15a519ce9
SHA1 ef759631f6f369075f3586272077509dac65bca9
SHA256 8b503591eaefccdc7862fcacfca58354bf8f0e6524b5143e15f8a0523db90509
SHA512 4166e61ffa19e87a60f6b1905139731af79b844c8488c316983774e75d4fcba7e81d18b144ec1dc4f7062a093d2857c0ba0ace39d53e231fb3bf3d1241cf6109

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 42a49e60065f2a0a935a40b91ee3f254
SHA1 ae61feb85fc74f68899dee0a8900facf9ca75e3f
SHA256 dd26b9c0b152921ba3fd45dcba60b34aa16ae4b5556b0a635fa12e51a19a77ee
SHA512 37aec1f3c180d1722b37c8b3d39f369b387e5efa569c7d3577e07b2f5ade243ca61678fb709d4f7ed3d61c43e06b11e768dfd85c6423b3bd1f354332f310ebfc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e20d3342094c14f402e4ba17aec837aa
SHA1 e092759f759f59e387e71f076ad44794a1403a8b
SHA256 6b7e01aac61558d747e2b30e1a8f1fda53736587f20101a6ae91cc4f141222ba
SHA512 91b7a1345b0a9d64523e85a9ff652acac06935a364af103a06b78f8eea4928f7b22d89cabbe0a7a7aa62b5af35de1f67620bd661297d9d0585ef5af10858ac3f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c9a7d71bbbe15b0e3bcef5e0e616d3fa
SHA1 da90ca0fd42ff9480c596a4958ca7f78824a5842
SHA256 68a48f0301474532034ad445b030ee3a6a230c23ecbc54b92d69128db2fb26e1
SHA512 65248b30c4cdae3f8fb10a5057e9638681a7fccabad8953d8698fb5d22d6827c06d25dba9d11b6263efd86c2b5a9553b49da6a78b68bcda02da2fc3342a6e180

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 5d3f69f0eae18352fb7744e33e5a2c85
SHA1 9a7dc2803dbf4ac31bf38d635271955ee00207a9
SHA256 fec0a578be20af4d804cd4bb32507718d89fc209b4c012b4597e8b6c06bab5f8
SHA512 7ddc8d9eeb271ea3437a1891cc68d04e7371401925efeed706b28a0d1cd7993e14c8dd9b1b8810e0adf61a901e5e62a7b80ce1009ce4d2803be5e9546a0772d4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 95e491184ff9503d08e1af23ca8aa4ab
SHA1 6b4d93bbe24f55237e9f42bb95b13dfef9d67f8b
SHA256 b5356c855d9c7dc4bc149b996214b7a8f8f21e5f083b603a2c81a0b8a899d4f5
SHA512 9226dc6c12aa6b3470f054b7025df413586dd1d839b85a6f73622a43b33c2a2dfc57442be2f7b9cad05e6805d1fdbe6eb4171e06e408c5c85831798df8cc371a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2a175bc30b85a67ee91093bb7c7e50c5
SHA1 ef0987961374fd466b63684e5f5cdd7432088b98
SHA256 89499d976c7d587e600e60eadbbf168932e33265640f7afe6b2847f07325a89a
SHA512 79f5bd493444db1d9a43ea7278f8a0f20e6fa4f8f70d65ba2231d3d4ab7bd87b3214c6777f6bf4cfcded04df946feea2e082fb4896fbc4c6f906f431006b73dd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7ceaf1a8ce9cf274d1f87a28ee55ddb7
SHA1 74dd2216224ab2428da5c9a41550a67a926a7064
SHA256 9a315128f57c513e93963860063a9e98f450e3eed5ea2aa7fd613c10b1b31e4e
SHA512 1bdbbad1d20ae8592fc357e55379e6129f7f6ec5214c488e0260e964e76c93c9396fdf521d149a9fe1aa34ebe94753da50775073b5c93f9376c6c241df0df2a2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 42eb5025211a0f9dd705f550bc268044
SHA1 32dbf36a5a8f5a3abe4d45ed6b337f263f1e81bd
SHA256 6bb3c547ca4feb376fc7d647a7bd66579f00241da0b66cd97dccf7887bc307f6
SHA512 7bc85126365f312a767c2edfb24b008aabb0584592c4ef7ea3c2904ee35e4272ce3e86cb52cd76ded130018557f6cfeccb7e73baf50f380c4464cd4511cf27b2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d45f813a5846d1552921649ead0aab62
SHA1 3f90e45cf6ad82356ae25a95b333d6d13173384d
SHA256 270bbec59fefb28532654800e5b6a00aa82f91e392935f7725af0a1731a59328
SHA512 2e91b2967c587d12842d2e123652ecda8b23e61e913a77b82fd5d76d356dd9d09ce4a5669e8b51c9f161f8f51aefd506f33f1ceef60a9512fc2ebce4b7cb3104

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 7e3123177d3c561b171f14d0a9523388
SHA1 d0a0e14fb30bfa2cf4b8fbe8392e99e6c0a7562a
SHA256 0ff850ff3750f45971ae629050ae59e2bbf47d5eb7fac669d048b5a450f7a435
SHA512 ff116f6afbe30da293dce2f16937033725f9e0b99a221b895fa2dc93b64669b13c51eee3f2e79bb7eb456e033b9b93163179978b0de86b6224a37fe4fdaded74

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 b772a81cf529e7f62019a2668fb963f6
SHA1 452c558aba095922dcf9ace1138a6b3b9fa8ae4a
SHA256 ab35f7c44b8d081897af948ea64a06039342b39749679f741dd62e6634dcff3f
SHA512 5ce91711e6e14a05518a03dc2d0ca64f43862da5cd8b3b5420460c699d04dc9cdf92e0cb1b91bafc2ce3aff5c81aa35f4bbb6e9bb6c3daedfda65f58d625b3f6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 be982b0ef92df777f60b4d7ab22cb5c3
SHA1 4505e93410bd820816471b85998c9593fe0292a6
SHA256 8a89e6ac1460a5538635c42026ba4a367fa6ea8066dda3d2a6d5705a7ca82c94
SHA512 43926aedc85b27a379e9da80b57b13dd3a83b0bd391dbcd34742fc8bb467e13410a0a90b2361247c057651b71074149a2d98f8a3a1ac9098c041fb3afdb5b09e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a9f9fb3da1b5608f80942692def1d53c
SHA1 4ea26cbbaf69e19c9fdf7f2ec74922197423f6ff
SHA256 48a67017f39e3ccfa7b85aa76cc263b7b004819b4af5510c55d53fa657c4d22e
SHA512 d382a3bb085fa67dc8c5833fae06761c4059715ba8834de61354b2b890f99ebe19a8f89ee0ad4b9b63446fca8cd34705667b09f1efa79064d004525ea5456614

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a42c7183e1fd0f8c1c9afec1a4c5cd2d
SHA1 10c7719c6e76c3f2ac338a53929f706a0b82d09c
SHA256 f7230d77b47b72c1418a2ce18e31744174b3adbec949e0d6cea229b870c99967
SHA512 695d48f3c79a006d3ea6a4e7e9c0228ee430799210d6ee276cafac7545ae6d40246279a0d3a1c21914182b3d055787f418fe835ceaba73c80cccb08c78b3ff62

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 1eea5c2c30395c0251d76511cc3213dc
SHA1 0e551d327f99fa754340b0aef0842577efd5f1e6
SHA256 037a88f38070c6c0de3e07019cb503e3cbe55f319c9a08ffc24296754018d310
SHA512 d44332cfbc2261f194df162ea61301d584e18f51a3802e46fea62f23aaf9919d35d307ff527ae15aa8e7fc5b5e3bc75cef6570417ad17fb248f889e562edb0db

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 83d93cc4a7853894592b35f8af1a0e24
SHA1 f55f03cc4aec2f3612eb5afed222199bb33feef2
SHA256 9e40e966418cf23946d10857eb40007f368776d00687e93448a214dc71ae6c74
SHA512 d974d5a9b2cf9ade703dd4dba43a086c7b78b2723198880f341f6cebd0071e63822f8c9f22ec98f299e2da9609171575076bc755515e34b453f8347579be4a5b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 622f86b6b7e448ba93de7f4c1a2f41f4
SHA1 7a91f2fdc56b0b9ff05856c2ee2ba4d8550a9076
SHA256 837eaa21de5d634304dbfaca6b1dbf6af1924225a808a0757b893b7df39305d4
SHA512 f4c4a87e5ca4ae0b2e9e5c0b1c2c55f0b7225f72f91009788b3830e9b9852042ef50327bb348ab42ffb14d6c90e1466c51bccf1e6478ab84e65682e463bf92fa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 bebcbff6c9622632280fe07ee68a3755
SHA1 d5121e5d8ce6767889c406899538d95d6833aac1
SHA256 07effdd26d771b567cc8adc26b1a74e8a9f59fef317f0cd13841859d9cdd4be0
SHA512 8803f46a57bb691f3128f4c4b4dd8d34799f0f4421eb7da427fe695315af8dca320870f54aa808af1f4d97350bbfc2956f586aff04c7993bd5158b668bb301a1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 76786eb44a4949afe5dc69628e207131
SHA1 0db780a7ecccf0a833244a85c552c9d59c1a93dc
SHA256 d6c09cf817b2ed7e5f94ea48c9950b39e13a3792a769de2dccfe5dde677ef3a4
SHA512 9df048a07f417818df489682aee13e38e76c66594c4e4a53e91c60fb086968248cb8af3b4ca00f8cfa4768e62ed4d882a32258022c7eb7cf0d2b680aa1f201d3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 98fe4ed24a1ff5235d3e1bb37a21d1be
SHA1 3908917e1d7fe36a2857f8a979efba43114f98fb
SHA256 edd9df84f5391f05eb6399af5db6fe1d41de5a585b96b4ba949ce94189090e07
SHA512 f653d429d025f75a50be0b16913f114072badf0c25a54ab5cfdf2ccf461d5b22cafc0eb3741d29930668599af448f7cbcc0e88c0df95e1e6bad5457565891c68

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004e

MD5 3051c1e179d84292d3f84a1a0a112c80
SHA1 c11a63236373abfe574f2935a0e7024688b71ccb
SHA256 992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3
SHA512 df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004f

MD5 68f0a51fa86985999964ee43de12cdd5
SHA1 bbfc7666be00c560b7394fa0b82b864237a99d8c
SHA256 f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f
SHA512 3049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b9e93d7f6d942b26c9ada3a625d86cff
SHA1 b518c51b8830a231aebe6c2c1faff29070cc107a
SHA256 34ab6d1626f952c99450e010aca7293be60d0fbe15ae4d1a28fc3339de21a690
SHA512 a2440ada1a2df48c7e4734659ec0c8057d9436327b491045a0e28d873eb3c468a922c623c71b660a1bca183c2e89931777ba430571f11c9ab192c0263a595e66

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 457d1ac0889cfa609134e005645ffd43
SHA1 8a4058c22b396bc1587170bb36ab130a9ec1c013
SHA256 e51fca4b319433f9e66c0360c31db0ac841415c2486d5b4c7ca1078ba2a17e56
SHA512 0b6cecb696c69f04ac7d3148e7d5b4d641c1c76cfb3c8746e1c93dbd38fdaaba0c24180d61c84b74147ecaf3a46fb6e429324200101141b9c1ee72778506b3cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

MD5 d716b6013bc03f1e4fe2d5cd719c595c
SHA1 01347f66988db64e410b5ce8b8a8c353ff059296
SHA256 fc8a8b1cf010979eb77a33e4c8fcc744a884fed8147a326bcb39f7ee9aeeb32b
SHA512 cad4f0b076fe741297b4d1845013cdb7e7f092202f1e8b9c23532623d7b73bfe8c7c37af5078bc6d571e4b7276e6510a340838d34e84c470f6405281c7f2e9ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

MD5 bfe589d7b7e3f06cee5351e805ea1af2
SHA1 0880735ee4e30ac4dc25fc2d4d03cd5a45bf9c1e
SHA256 2ff2bcbcff531b220ba593814fbaa833de9d1f72d1a8036d46b3f5b766aec3c6
SHA512 dd183e01261385f2d1602561f51253c37e785d7ca8572d1a1a059a6d9ff723baea014fb3cc2ac39918622d0d3db7dace315d472ff1c403fe21c60e691880a1b8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

MD5 04cb676d26899df8beca1fb9da675b11
SHA1 ef369339c3643b564d8c5234dc24060c8f027700
SHA256 0112d431af82a350fbbf05dc09f67eb57639e82959d31488fef908cfc4df60c2
SHA512 55579fbad58fb0d45c6b077627954acac1772bfec2ee6b91f03e9ebcca046eee4c1fc5de4abadf4af117a43be25a10384f08689daddd7a2ae88cfb6f7337c5da

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

MD5 99ebbe83e525652c9732d9bb94fd6a89
SHA1 cb70a4781886ffe5c013d8c23444271a61b0720e
SHA256 b1e3b57191c27079b513a300bac829cd5bcb46d0a644470aebe9d2a6ff70be85
SHA512 bafdfec00e1b0dca441e52d05a414f9f90a1653194c4b29e26a06fad566afb53a17f7c5db40736eae652b4fd2021fa287f2ae61d788e89bbb0c8e01845b87287

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9155b6ecee9d06b73ef2c2f81285f25d
SHA1 c9b87dce5ed542cdd43d15565ddc295d031d2be7
SHA256 787763d5408d570c1ae8eb42c293fb0b413f0ff0c5faed1c26ee8e404703b4e7
SHA512 2b8b10e96da0bede0d47386c4814b66c33f563499ff222f59b747638b2074673ded420bd38b017d20800d5807285e988652734fb80654dcc7435d564a4a97799

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9fa752b3-eb8d-460c-8437-7cc5261924b2.tmp

MD5 ff33f158c230234720ba78ac8dc48bdd
SHA1 5da01240038bd4109280884140724d892c416a86
SHA256 a08811245a08f6d2f5d3e35a964a388ea97f8e6cdf2c1066c320f6b7bfb020b0
SHA512 21978e7f0ff6bf3c8180ebe05585f84f01ee29fc765284fb6413e9ec1743e13de4f0255534a3c2d6a6c26598a581bb9c103e955242d94e703a00a55fdb9f28a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9ce37e9618de4204e0706c532f8ab153
SHA1 fa2f2faadc0152c452ddc11d98fcc099d41681cc
SHA256 23bca670e6c96e9bc7c86d8c493058353bdb7cb18b7c2c94e0248f990085a7cb
SHA512 1974d9ecf7f53a00dff915a385a8be78563f8b5a5715f94c2f65117e831d99ed1aa987c4ecc61bfb728a0c42458fc7e4a9924e4b78403c6e07f83b9f013667ee

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 865b23bc7d60eed5c41c50c17524d835
SHA1 c1320ab752a4b7c2d0eec7d47d9017ba8e2cd806
SHA256 055330d561959cdf1c32db3ded06fab8d9b2bfb1cf48396c04eb84087f45df84
SHA512 cdb1263a547677692a523fab1133faba166b52c9e5fae819c23890f7e61862c5f5e5ccceacd5555fd254ce71ac755bc7cd87bae23d47ecf0fbee90881e059ff3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 05755358d15710b091cb8c0a49d73840
SHA1 56d60c297d8432ea39a9c0c399db036df5e3e9ac
SHA256 cd1b9236772105701b2acb623d5460dd5b6ff98eb9177cbb2b597c2f0f6de295
SHA512 a5f3f841d13fd67c9f1a60d74ac0478b6c9cb0f01438f91553dbaf3b3b152922bdef19ecdd9bfc4d8cb66cb2e8cb0932b3000e9a071fc00b61a7586799952693

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 8936711d0d9bad3d52ea183a92b043e3
SHA1 3fac1be1da5eb50f29b0192039bd035ee87ce797
SHA256 dd554733260152fd10dbe3a74d2cbcbd087d774f2075ebe58806cd756b58e714
SHA512 3afdb1a238bcdb1d3db5b03fdfc826aa657bf2f1e8ede06d6ea327c39204116845c9e38e43f8522954229499c806b448aa1d6e76214e7756781f79ee09d42419