Malware Analysis Report

2025-08-06 03:37

Sample ID 230923-y2pq2sca53
Target 3f5d7a56ba1191ed29d0adb424c142bb186038a2511038ab40ac2f72b1f76aba
SHA256 3f5d7a56ba1191ed29d0adb424c142bb186038a2511038ab40ac2f72b1f76aba
Tags
fabookie healer redline smokeloader xmrig nanya backdoor dropper evasion infostealer miner persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f5d7a56ba1191ed29d0adb424c142bb186038a2511038ab40ac2f72b1f76aba

Threat Level: Known bad

The file 3f5d7a56ba1191ed29d0adb424c142bb186038a2511038ab40ac2f72b1f76aba was found to be: Known bad.

Malicious Activity Summary

fabookie healer redline smokeloader xmrig nanya backdoor dropper evasion infostealer miner persistence spyware stealer trojan

RedLine

Healer

Detect Fabookie payload

Modifies Windows Defender Real-time Protection settings

SmokeLoader

Fabookie

Detects Healer an antivirus disabler dropper

xmrig

RedLine payload

XMRig Miner payload

Downloads MZ/PE file

Executes dropped EXE

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Enumerates system info in registry

Suspicious behavior: GetForegroundWindowSpam

Runs net.exe

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-23 20:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-23 20:17

Reported

2023-09-23 20:19

Platform

win10v2004-20230915-en

Max time kernel

103s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3f5d7a56ba1191ed29d0adb424c142bb186038a2511038ab40ac2f72b1f76aba.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5D1B.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0308522.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3f5d7a56ba1191ed29d0adb424c142bb186038a2511038ab40ac2f72b1f76aba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6979858.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6205487.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5FBC.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3528 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\3f5d7a56ba1191ed29d0adb424c142bb186038a2511038ab40ac2f72b1f76aba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6979858.exe
PID 3528 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\3f5d7a56ba1191ed29d0adb424c142bb186038a2511038ab40ac2f72b1f76aba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6979858.exe
PID 3528 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\3f5d7a56ba1191ed29d0adb424c142bb186038a2511038ab40ac2f72b1f76aba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6979858.exe
PID 3960 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6979858.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6205487.exe
PID 3960 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6979858.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6205487.exe
PID 3960 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6979858.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6205487.exe
PID 4460 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6205487.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0308522.exe
PID 4460 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6205487.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0308522.exe
PID 4460 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6205487.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0308522.exe
PID 4472 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0308522.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1930625.exe
PID 4472 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0308522.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1930625.exe
PID 4472 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0308522.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1930625.exe
PID 4628 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1930625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4628 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1930625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4628 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1930625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4628 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1930625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4628 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1930625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4628 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1930625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4628 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1930625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4628 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1930625.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4472 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0308522.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7388234.exe
PID 4472 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0308522.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7388234.exe
PID 4472 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0308522.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7388234.exe
PID 3188 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7388234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3188 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7388234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3188 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7388234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3188 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7388234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3188 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7388234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3188 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7388234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3188 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7388234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3188 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7388234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3188 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7388234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3188 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7388234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4460 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6205487.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8775399.exe
PID 4460 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6205487.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8775399.exe
PID 4460 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6205487.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8775399.exe
PID 4660 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8775399.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4660 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8775399.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4660 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8775399.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4660 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8775399.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4660 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8775399.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4660 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8775399.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4660 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8775399.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4660 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8775399.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3960 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6979858.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2808159.exe
PID 3960 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6979858.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2808159.exe
PID 3960 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6979858.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2808159.exe
PID 3824 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2808159.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3824 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2808159.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3824 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2808159.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3824 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2808159.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3824 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2808159.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3824 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2808159.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3528 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\3f5d7a56ba1191ed29d0adb424c142bb186038a2511038ab40ac2f72b1f76aba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7603212.exe
PID 3528 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\3f5d7a56ba1191ed29d0adb424c142bb186038a2511038ab40ac2f72b1f76aba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7603212.exe
PID 3528 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\3f5d7a56ba1191ed29d0adb424c142bb186038a2511038ab40ac2f72b1f76aba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7603212.exe
PID 3124 wrote to memory of 1388 N/A N/A C:\Windows\system32\cmd.exe
PID 3124 wrote to memory of 1388 N/A N/A C:\Windows\system32\cmd.exe
PID 1388 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1388 wrote to memory of 1068 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1068 wrote to memory of 3944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1068 wrote to memory of 3944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1388 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1388 wrote to memory of 2084 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3f5d7a56ba1191ed29d0adb424c142bb186038a2511038ab40ac2f72b1f76aba.exe

"C:\Users\Admin\AppData\Local\Temp\3f5d7a56ba1191ed29d0adb424c142bb186038a2511038ab40ac2f72b1f76aba.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6979858.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6979858.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6205487.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6205487.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0308522.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0308522.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1930625.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1930625.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4628 -ip 4628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 580

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7388234.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7388234.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3188 -ip 3188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4140 -ip 4140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4140 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8775399.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8775399.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4660 -ip 4660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 552

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2808159.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2808159.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3824 -ip 3824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3824 -s 552

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7603212.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7603212.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4F8D.bat" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa97e746f8,0x7ffa97e74708,0x7ffa97e74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa97e746f8,0x7ffa97e74708,0x7ffa97e74718

C:\Users\Admin\AppData\Local\Temp\5D1B.exe

C:\Users\Admin\AppData\Local\Temp\5D1B.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,5370045655197682665,501853850755219088,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,11952260989774090264,2383056265297507975,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,5370045655197682665,501853850755219088,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\5FBC.exe

C:\Users\Admin\AppData\Local\Temp\5FBC.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,11952260989774090264,2383056265297507975,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1984 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,5370045655197682665,501853850755219088,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5370045655197682665,501853850755219088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\63C4.exe

C:\Users\Admin\AppData\Local\Temp\63C4.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5370045655197682665,501853850755219088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\ss41.exe

"C:\Users\Admin\AppData\Local\Temp\ss41.exe"

C:\Users\Admin\AppData\Local\Temp\6953.exe

C:\Users\Admin\AppData\Local\Temp\6953.exe

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5370045655197682665,501853850755219088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5370045655197682665,501853850755219088,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\is-ER9MJ.tmp\is-OQ8A5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-ER9MJ.tmp\is-OQ8A5.tmp" /SL4 $501C2 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5370045655197682665,501853850755219088,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5370045655197682665,501853850755219088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5370045655197682665,501853850755219088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5370045655197682665,501853850755219088,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5370045655197682665,501853850755219088,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u RVN:RBvfugTGdvfZCHCgvSoHZdsYt2u1JwYhUP.RIG_CPU -p x --cpu-max-threads-hint=50

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.61:80 77.91.68.61 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 61.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 facebook.com udp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
NL 157.240.201.35:443 facebook.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
MD 176.123.9.85:16482 tcp
US 8.8.8.8:53 85.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
MD 176.123.9.142:37637 tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
NL 141.98.6.38:39001 tcp
US 8.8.8.8:53 38.6.98.141.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 rx.unmineable.com udp
US 165.227.182.82:3333 rx.unmineable.com tcp
US 8.8.8.8:53 82.182.227.165.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6979858.exe

MD5 d539e9babf2138995b8e115909480d4e
SHA1 20c41b732407a83aef0b016f4c70b1363ac4d0a6
SHA256 414b9e2857987f4e8ed2663f86ddfbccf5d102c03ad5a8f53b7f54c3b76efe7e
SHA512 0ba4361a97203acc3452e93b7fa19d87d9f29c74315e14fa895a1ca685b711522df88183e395105c57f366a2d2b9e312f44d198824d223333fa599a1eed0c979

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6979858.exe

MD5 d539e9babf2138995b8e115909480d4e
SHA1 20c41b732407a83aef0b016f4c70b1363ac4d0a6
SHA256 414b9e2857987f4e8ed2663f86ddfbccf5d102c03ad5a8f53b7f54c3b76efe7e
SHA512 0ba4361a97203acc3452e93b7fa19d87d9f29c74315e14fa895a1ca685b711522df88183e395105c57f366a2d2b9e312f44d198824d223333fa599a1eed0c979

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6205487.exe

MD5 bfb3c1edfdf3b8310d672c52fd5682c8
SHA1 affbacb0d314e3c49ef87a1fd96ba1145db0101a
SHA256 7eb0cc786d6c325cd7de9e95a46d3ff55bf013e07a05334a8dddbe3872e4d485
SHA512 5a69573c20dbbf10fd74e9dd535c86197797cb69ce20090bca01181cea7fbbd4bb3ab8ec3c9764514b445915ca5afc84d71022a7615e113c92ed841d2327629a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6205487.exe

MD5 bfb3c1edfdf3b8310d672c52fd5682c8
SHA1 affbacb0d314e3c49ef87a1fd96ba1145db0101a
SHA256 7eb0cc786d6c325cd7de9e95a46d3ff55bf013e07a05334a8dddbe3872e4d485
SHA512 5a69573c20dbbf10fd74e9dd535c86197797cb69ce20090bca01181cea7fbbd4bb3ab8ec3c9764514b445915ca5afc84d71022a7615e113c92ed841d2327629a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0308522.exe

MD5 433dc5f1cf073f8db279c14e4556328c
SHA1 affa2566963e81b81401c31add66d63ecfe98cd1
SHA256 bd460e0c1afb6ccc8fd370a9130e6c96b265d917955b66a421c795a6acab5fd5
SHA512 7f66f9d63341f36d0886d54460eca5314af88a0845683051f97b9771ff0afddd362d6acc717029e1340dea7a1d99d5ccc48495f7463fb2ba6a7ab4d2f0007735

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0308522.exe

MD5 433dc5f1cf073f8db279c14e4556328c
SHA1 affa2566963e81b81401c31add66d63ecfe98cd1
SHA256 bd460e0c1afb6ccc8fd370a9130e6c96b265d917955b66a421c795a6acab5fd5
SHA512 7f66f9d63341f36d0886d54460eca5314af88a0845683051f97b9771ff0afddd362d6acc717029e1340dea7a1d99d5ccc48495f7463fb2ba6a7ab4d2f0007735

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1930625.exe

MD5 74d72654788b118dd94a91cce114a6b2
SHA1 53df3e68adac2cf057f3375749318dfa4b8874d4
SHA256 da0c3e8cfbdec5e9498eb8580087a11b83be367f35e76aa507966e682122d805
SHA512 4307581685e08ec0631bcc9a43f2187ec9d50cc7b39f3498c020fc5617d4625adfb338a9e1f0c7fc239a7a319e49d0ce09e0151b7c76cf3643d79a34068ac3c4

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1930625.exe

MD5 74d72654788b118dd94a91cce114a6b2
SHA1 53df3e68adac2cf057f3375749318dfa4b8874d4
SHA256 da0c3e8cfbdec5e9498eb8580087a11b83be367f35e76aa507966e682122d805
SHA512 4307581685e08ec0631bcc9a43f2187ec9d50cc7b39f3498c020fc5617d4625adfb338a9e1f0c7fc239a7a319e49d0ce09e0151b7c76cf3643d79a34068ac3c4

memory/2928-28-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2928-29-0x00000000749D0000-0x0000000075180000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7388234.exe

MD5 d426052ddd81dd5c2a3da685120e19db
SHA1 a3976aa514b88a216b094751e1d53a217c920ea3
SHA256 7c47421d6492ed55c93d6e91a0b4e7fe282a1667da6e578f2ce4e502a48a4f90
SHA512 09a178afbe2d5eb57764e2b5c566c95459ae30a12e45c60421fec3bcabcca381fcf626d8201c3814caf67a42134798c245806914cba33f8ab63111637d9be837

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7388234.exe

MD5 d426052ddd81dd5c2a3da685120e19db
SHA1 a3976aa514b88a216b094751e1d53a217c920ea3
SHA256 7c47421d6492ed55c93d6e91a0b4e7fe282a1667da6e578f2ce4e502a48a4f90
SHA512 09a178afbe2d5eb57764e2b5c566c95459ae30a12e45c60421fec3bcabcca381fcf626d8201c3814caf67a42134798c245806914cba33f8ab63111637d9be837

memory/4140-33-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4140-34-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4140-35-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4140-37-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8775399.exe

MD5 0a15714bf2984443139e202ad23bc1bd
SHA1 a8d26fcadcdf93071f178dc72f206a48f4b3890a
SHA256 9663b676064e8d326982391e5adb846a6b025567269e77274afac58c5f10ccda
SHA512 155c249e942eb63aa3f83e0bae9f822cb71d37454a054336eea51c73c365331c129903e4f68d0faaec081a3199165e2c753dc0c8713bd04ed8a8525bd370a511

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8775399.exe

MD5 0a15714bf2984443139e202ad23bc1bd
SHA1 a8d26fcadcdf93071f178dc72f206a48f4b3890a
SHA256 9663b676064e8d326982391e5adb846a6b025567269e77274afac58c5f10ccda
SHA512 155c249e942eb63aa3f83e0bae9f822cb71d37454a054336eea51c73c365331c129903e4f68d0faaec081a3199165e2c753dc0c8713bd04ed8a8525bd370a511

memory/2928-41-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/2928-43-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/3096-44-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/3096-46-0x0000000002EF0000-0x0000000002EF6000-memory.dmp

memory/3096-47-0x00000000745B0000-0x0000000074D60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2808159.exe

MD5 1512d63acfcbc597f166b526c7610de6
SHA1 9462c15461adc167e6c2d85006ed87a376c71e65
SHA256 280ae2303907431a8b41ece57fbe9fec3bdbc2c95e09d921d156113d748ee76d
SHA512 c0e91c1ece705af6ed162e0f5817c2e87dae49dd034a0566562ef6847fb684c0a630ec870613779335a11feee045ef3a31543fb684871b3f1553794ea6565ff4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d2808159.exe

MD5 1512d63acfcbc597f166b526c7610de6
SHA1 9462c15461adc167e6c2d85006ed87a376c71e65
SHA256 280ae2303907431a8b41ece57fbe9fec3bdbc2c95e09d921d156113d748ee76d
SHA512 c0e91c1ece705af6ed162e0f5817c2e87dae49dd034a0566562ef6847fb684c0a630ec870613779335a11feee045ef3a31543fb684871b3f1553794ea6565ff4

memory/3096-51-0x000000000B060000-0x000000000B678000-memory.dmp

memory/3096-52-0x000000000AB70000-0x000000000AC7A000-memory.dmp

memory/3096-53-0x00000000056B0000-0x00000000056C0000-memory.dmp

memory/3096-54-0x000000000AAB0000-0x000000000AAC2000-memory.dmp

memory/1968-55-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1968-56-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3096-57-0x000000000AB10000-0x000000000AB4C000-memory.dmp

memory/3096-58-0x000000000AC80000-0x000000000ACCC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7603212.exe

MD5 36492733f00ef3daf0a217c09b4c750e
SHA1 e7ed7706d2e125f03ed261e8e75016f48f48f498
SHA256 aecee825e214ae449bf79472975930593f4175d1bda0ba54ee59db64c6a30cfa
SHA512 acb96d29f317c499796adce4ebc9955e791a0592f77adcc9fc977daf009b17c793f17f1dc2dff29f62194f2e061680b31edef774cd577c5c7e1431b0de5995b3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7603212.exe

MD5 36492733f00ef3daf0a217c09b4c750e
SHA1 e7ed7706d2e125f03ed261e8e75016f48f48f498
SHA256 aecee825e214ae449bf79472975930593f4175d1bda0ba54ee59db64c6a30cfa
SHA512 acb96d29f317c499796adce4ebc9955e791a0592f77adcc9fc977daf009b17c793f17f1dc2dff29f62194f2e061680b31edef774cd577c5c7e1431b0de5995b3

memory/3124-62-0x0000000002D30000-0x0000000002D46000-memory.dmp

memory/1968-64-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3096-66-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/3096-67-0x00000000056B0000-0x00000000056C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4F8D.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 451fddf78747a5a4ebf64cabb4ac94e7
SHA1 6925bd970418494447d800e213bfd85368ac8dc9
SHA256 64d12f59d409aa1b03f0b2924e0b2419b65c231de9e04fce15cc3a76e1b9894d
SHA512 edb85a2a94c207815360820731d55f6b4710161551c74008df0c2ae10596e1886c8a9e11d43ddf121878ae35ac9f06fc66b4c325b01ed4e7bf4d3841b27e0864

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Temp\5D1B.exe

MD5 6b254caca548f0be01842a0c4bd4c649
SHA1 79bbeed18d08c3010e8954f6d5c9f52967dcc32e
SHA256 01a7afff3220c1a442e3b8bc41dbf4036e9c223f9aab374265d9beae0709e434
SHA512 b69f8c71f2b71268150cc74e8e842b6526e87c5e944d163bb3def85cc919428c249a733ca9bbefc4cf4b80a8dbf6961b8e6f0333194713faf10551b8eb97d3ff

C:\Users\Admin\AppData\Local\Temp\5D1B.exe

MD5 6b254caca548f0be01842a0c4bd4c649
SHA1 79bbeed18d08c3010e8954f6d5c9f52967dcc32e
SHA256 01a7afff3220c1a442e3b8bc41dbf4036e9c223f9aab374265d9beae0709e434
SHA512 b69f8c71f2b71268150cc74e8e842b6526e87c5e944d163bb3def85cc919428c249a733ca9bbefc4cf4b80a8dbf6961b8e6f0333194713faf10551b8eb97d3ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

\??\pipe\LOCAL\crashpad_2084_BJHBERQCVMGXOVMQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Temp\5FBC.exe

MD5 ef11a166e73f258d4159c1904485623c
SHA1 bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e
SHA256 dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747
SHA512 2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

\??\pipe\LOCAL\crashpad_1068_NPJZJJPXPYVULPMB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\5FBC.exe

MD5 ef11a166e73f258d4159c1904485623c
SHA1 bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e
SHA256 dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747
SHA512 2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

memory/3792-110-0x00000226B4A40000-0x00000226B4B26000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

memory/3792-123-0x00007FFA95850000-0x00007FFA96311000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\63C4.exe

MD5 52c2f13a9fa292d1f32439dde355ff71
SHA1 03a9aa82a8070de26b9a347cfbd4090fd239f8df
SHA256 020c6da8f2bbd3a3f15dcbc8808255c2650df37f2b499b680e69d9e3cb1c1316
SHA512 097d5415d7ed0ebb6b6f89cc38b29471a47ef99df79e7c6b0b01592174dfb115abdf496126bb7177527c252803bcc53a31b8c40d2f1aa65fae4331b5afe9e36a

memory/4784-127-0x0000000000880000-0x0000000000A58000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8e0be66ef85eca720b3718795190ca24
SHA1 ae03fd404a1d822b3b7dcd52cff2485228ffe1f7
SHA256 e1ffdbd646af223c4e81302ed835a60872ac95aa8ea54c8894308285d3bdee9e
SHA512 bff84a8d8620ff20dda896ce555a9d8ccd02fe174224fe4cfb9884482ea75d69f28b5e4c3d071151616a44a1a0b2d288b28a0a7ae4cadec7acb3952c2e3f5e25

memory/3792-128-0x00000226CEFD0000-0x00000226CF0B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\63C4.exe

MD5 52c2f13a9fa292d1f32439dde355ff71
SHA1 03a9aa82a8070de26b9a347cfbd4090fd239f8df
SHA256 020c6da8f2bbd3a3f15dcbc8808255c2650df37f2b499b680e69d9e3cb1c1316
SHA512 097d5415d7ed0ebb6b6f89cc38b29471a47ef99df79e7c6b0b01592174dfb115abdf496126bb7177527c252803bcc53a31b8c40d2f1aa65fae4331b5afe9e36a

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

memory/3752-147-0x00007FF6C7A50000-0x00007FF6C7B29000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

memory/3792-139-0x00000226CF0B0000-0x00000226CF180000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

memory/3792-136-0x00000226CF190000-0x00000226CF1A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6953.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5fc05a591c0ab20413ce3db48de3278e
SHA1 65cffc6a70f22e287224638df338d398a144e556
SHA256 ac2fcdbfb0a45cfa5b8b3e75830280de35a1648eeda74b61cb0528e2a30915d8
SHA512 8e24ef1ac6678d38884660173f0a76f8d9d274da326dfc13cf3be903a2ff6ecaf89ef1e1721f3bd26aa1f495e8345f9a2be1e58a1340575220c10d7de4509bbb

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

memory/4784-186-0x0000000000880000-0x0000000000A58000-memory.dmp

memory/4628-191-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

memory/3792-150-0x00000226B4FF0000-0x00000226B503C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/4784-207-0x0000000000880000-0x0000000000A58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6953.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

memory/4628-212-0x00000000745B0000-0x0000000074D60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/3240-235-0x00000000004B0000-0x0000000000624000-memory.dmp

memory/4628-236-0x0000000008220000-0x00000000087C4000-memory.dmp

memory/4628-238-0x0000000007D10000-0x0000000007DA2000-memory.dmp

memory/3240-237-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/1852-246-0x0000000000550000-0x00000000005AA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 47c2d269a8c31be70c55604d24a59e37
SHA1 1af19c70e312cfe23f2fcd69aaa7266b13916afd
SHA256 e41d456c2b0d24b1a3936b8df1ad337811459ef2eb8bfc59072a94bf858a379f
SHA512 0c297b70f31dd5a824bfdd0798604695ee5c24eb19cd3bf120cbd17d8c55bf0df898208495bc88ed8eee511a449f2e15f219e153d6a640be23ca61b4364671bf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8e0be66ef85eca720b3718795190ca24
SHA1 ae03fd404a1d822b3b7dcd52cff2485228ffe1f7
SHA256 e1ffdbd646af223c4e81302ed835a60872ac95aa8ea54c8894308285d3bdee9e
SHA512 bff84a8d8620ff20dda896ce555a9d8ccd02fe174224fe4cfb9884482ea75d69f28b5e4c3d071151616a44a1a0b2d288b28a0a7ae4cadec7acb3952c2e3f5e25

memory/4628-272-0x0000000007CA0000-0x0000000007CAA000-memory.dmp

memory/3792-270-0x00007FFA95850000-0x00007FFA96311000-memory.dmp

memory/1852-276-0x0000000000400000-0x0000000000469000-memory.dmp

memory/4628-277-0x0000000007E90000-0x0000000007EA0000-memory.dmp

memory/1852-281-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/3792-284-0x00000226CF190000-0x00000226CF1A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/4204-292-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0136046ebd8d09142b0203eb873198b4
SHA1 2f6a7f3d45d8424f602ed5d44da9f4834879b356
SHA256 498c5ccb27d44b790f39d2ff3dd4fbcbd775298fa8835c9f62f39389e8649058
SHA512 1139082d38941681c82398b237f2e7d1dc16d85460f2a7409bc61160f86590ec0bdeecc289560cb6349a3180b59b21b6e85030effb1374051785b73b9ed64d2b

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/3792-321-0x00007FFA95850000-0x00007FFA96311000-memory.dmp

memory/4204-324-0x000001A0B11F0000-0x000001A0B1200000-memory.dmp

memory/1852-332-0x0000000007780000-0x0000000007790000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/184-339-0x0000000000350000-0x0000000000358000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-ER9MJ.tmp\is-OQ8A5.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/184-350-0x00007FFA95850000-0x00007FFA96311000-memory.dmp

memory/3240-351-0x00000000745B0000-0x0000000074D60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/4628-354-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/184-355-0x0000000002510000-0x0000000002520000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-ER9MJ.tmp\is-OQ8A5.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/4628-356-0x0000000008840000-0x00000000088A6000-memory.dmp

memory/2272-322-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-TSE30.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/4880-372-0x0000000000600000-0x0000000000601000-memory.dmp

memory/4204-373-0x000001A0B11D0000-0x000001A0B11D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-TSE30.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

memory/4204-374-0x000001A0CB4B0000-0x000001A0CB506000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-TSE30.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/4204-318-0x00007FFA95850000-0x00007FFA96311000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d985875547ce8936a14b00d1e571365f
SHA1 040d8e5bd318357941fca03b49f66a1470824cb3
SHA256 8455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf
SHA512 ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38

memory/4204-311-0x000001A0CB240000-0x000001A0CB342000-memory.dmp

memory/3752-379-0x0000000003200000-0x0000000003371000-memory.dmp

memory/4628-378-0x0000000007E90000-0x0000000007EA0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 3ff328c42e443635b527d947bef310ba
SHA1 75317e0a80fe755d22a5fc9f9caacd4e758af246
SHA256 81253f1903ccbc4780badc4c4170c17f1be67c36e4cf6fb8173c4b57ba92bb81
SHA512 fec82e2e9dff92fa25bf879f4efb8843afd7f68ffaab627b49661b7e0a136d703cc73dd70244b9cdce8319f12e09ee675af180f2c27810201bad0361d2b1b51a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 644e15fe1722a0ba184d9527e4eb7b8a
SHA1 1efd9e5be7cc45e321d3fe4b19402aa6f36dc9a1
SHA256 8791da12f6e54fba3e8db3295ae82c9202e02167248a3673bcb23b9370bc1cfd
SHA512 ac016a6a155dbe28c32b870b3c522437622d09a04907fc944f3699e1a5302a60e2a42773a362951eaf11761d769c4cdc756ec065d66d12f3ce5d9a1795824a24

memory/3752-383-0x0000000003380000-0x00000000034B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d448d692146159fea3ccdefa7f11de23
SHA1 f18d327792482dac8a651b9cd1c630c94777edda
SHA256 67a59454e80b054077cca1bdf21ab3d273d03f9b085af32b57165edc69b58dfe
SHA512 0d8cc7d175d7ca1587fe9e0f27117110f467b27c76933ef86b5f98b9e43ef9b80f87dd9ee13e882f17e93d4b60544496dcb2ec28c64d7564435eedf8ef35873f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a681f088f057f6ba3ca3b48f6bdbf07f
SHA1 dde541a4233162e0c33e736dcd789242733f136e
SHA256 4a21a578932ad5fc2c9710f2413e19d413160f9854580c5fa8b578d749c94f9f
SHA512 5472f24cb406dd58729eb4b1256e542f85050931a89aefbcf80f8e96e461002c8f6eebeaa461d953680b72de7119fcf9e48cbb02db3eabb8d1b68f0443fd7a90

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 5c575a9a0cae9e093a58964641d40c04
SHA1 1e90a128f28e6b3077180216831d2c4f7ef17169
SHA256 109be7c6eca4100f70fc6e5f6ca5c35c39cadf642ad94b45a86f7ee2a95e2ee7
SHA512 6e64a87e16a7c26b961f592e5f9b6649c8954d336fc6efb0f4f0a3436fc834f19025c30ed8e9aabf758f4f2a69b8fa4dbce78ad95d23d40359d0f80533e374fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59b339.TMP

MD5 5e15bf458f0f9780260d2016d5a509a3
SHA1 1c98009e1420f37daf1107086f69b7dee72ece2b
SHA256 6b4ec97711878086a5da8f163118f2126e93f0b0b3575623eca3c9af244f6d3a
SHA512 30f137d7e6cf4b1fd612f3b2a784d6f80d19a47df9b4d2532a247fd2ea44fce038684527cdd69cc815c7b377b348b3a8204390e5bd8647db988e0dd5fb2fd6a4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 644e15fe1722a0ba184d9527e4eb7b8a
SHA1 1efd9e5be7cc45e321d3fe4b19402aa6f36dc9a1
SHA256 8791da12f6e54fba3e8db3295ae82c9202e02167248a3673bcb23b9370bc1cfd
SHA512 ac016a6a155dbe28c32b870b3c522437622d09a04907fc944f3699e1a5302a60e2a42773a362951eaf11761d769c4cdc756ec065d66d12f3ce5d9a1795824a24

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 ec6aae2bb7d8781226ea61adca8f0586
SHA1 d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3
SHA256 b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599
SHA512 aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

memory/4704-534-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

memory/4704-536-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/4204-540-0x000001A0B11F0000-0x000001A0B1200000-memory.dmp

memory/4704-541-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/4204-539-0x00007FFA95850000-0x00007FFA96311000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/2272-503-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/1852-496-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/4880-546-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1852-547-0x0000000007780000-0x0000000007790000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/184-551-0x00007FFA95850000-0x00007FFA96311000-memory.dmp

memory/5576-553-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/4628-554-0x00000000096E0000-0x0000000009756000-memory.dmp

memory/4204-555-0x000001A0B11F0000-0x000001A0B1200000-memory.dmp

memory/4628-552-0x0000000009610000-0x0000000009660000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

MD5 45530ba69d87e740c786853748992d7b
SHA1 dae0e42ac44c0c5cbd1c3249eb9b61305a43db74
SHA256 dc9e168033ecc60c381bd2866394e6037cdf6e3764c4ff97ecc73509bd27788b
SHA512 02208c0b873673d646f7f4f7eb409d62e060c7fe1d297573991cf9df90d90d761806e759003638236571924a2285a3befe48c39c0a2d7a1a408e50fe57285f59

memory/5092-582-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/5092-583-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/5092-585-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/5092-586-0x0000022E84480000-0x0000022E844A0000-memory.dmp

memory/5092-588-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/5092-589-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/5092-590-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/5092-591-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/5092-592-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/5576-595-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/5576-598-0x0000000000400000-0x00000000005F1000-memory.dmp