Malware Analysis Report

2025-08-06 03:37

Sample ID 230923-y5me4aca62
Target 33ce411bac3c34d8ce31f099ff843a43a3f4e99a218e0bdb333cd90083afbdd8
SHA256 33ce411bac3c34d8ce31f099ff843a43a3f4e99a218e0bdb333cd90083afbdd8
Tags
fabookie glupteba healer redline smokeloader xmrig nanya up3 backdoor discovery dropper evasion infostealer loader miner persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

33ce411bac3c34d8ce31f099ff843a43a3f4e99a218e0bdb333cd90083afbdd8

Threat Level: Known bad

The file 33ce411bac3c34d8ce31f099ff843a43a3f4e99a218e0bdb333cd90083afbdd8 was found to be: Known bad.

Malicious Activity Summary

fabookie glupteba healer redline smokeloader xmrig nanya up3 backdoor discovery dropper evasion infostealer loader miner persistence spyware stealer trojan

Detect Fabookie payload

Detects Healer an antivirus disabler dropper

Glupteba

xmrig

Healer

Glupteba payload

Modifies Windows Defender Real-time Protection settings

RedLine payload

RedLine

Fabookie

SmokeLoader

XMRig Miner payload

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Uses the VBS compiler for execution

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: LoadsDriver

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-23 20:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-23 20:22

Reported

2023-09-23 20:24

Platform

win10v2004-20230915-en

Max time kernel

151s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33ce411bac3c34d8ce31f099ff843a43a3f4e99a218e0bdb333cd90083afbdd8.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\98B2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\33ce411bac3c34d8ce31f099ff843a43a3f4e99a218e0bdb333cd90083afbdd8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2111814.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5563693.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0939629.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PA Previewer\is-SSMIV.tmp C:\Users\Admin\AppData\Local\Temp\is-D0TJB.tmp\is-9EV96.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-P2J2N.tmp C:\Users\Admin\AppData\Local\Temp\is-D0TJB.tmp\is-9EV96.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-FGE9Q.tmp C:\Users\Admin\AppData\Local\Temp\is-D0TJB.tmp\is-9EV96.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-O7U6E.tmp C:\Users\Admin\AppData\Local\Temp\is-D0TJB.tmp\is-9EV96.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-D0TJB.tmp\is-9EV96.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\previewer.exe C:\Users\Admin\AppData\Local\Temp\is-D0TJB.tmp\is-9EV96.tmp N/A
File created C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-D0TJB.tmp\is-9EV96.tmp N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9E12.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 896 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\33ce411bac3c34d8ce31f099ff843a43a3f4e99a218e0bdb333cd90083afbdd8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2111814.exe
PID 896 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\33ce411bac3c34d8ce31f099ff843a43a3f4e99a218e0bdb333cd90083afbdd8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2111814.exe
PID 896 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\33ce411bac3c34d8ce31f099ff843a43a3f4e99a218e0bdb333cd90083afbdd8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2111814.exe
PID 4824 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2111814.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5563693.exe
PID 4824 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2111814.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5563693.exe
PID 4824 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2111814.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5563693.exe
PID 1616 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5563693.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0939629.exe
PID 1616 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5563693.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0939629.exe
PID 1616 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5563693.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0939629.exe
PID 4068 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0939629.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0314660.exe
PID 4068 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0939629.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0314660.exe
PID 4068 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0939629.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0314660.exe
PID 4716 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0314660.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4716 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0314660.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4716 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0314660.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4716 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0314660.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4716 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0314660.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4716 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0314660.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4716 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0314660.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4716 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0314660.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4716 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0314660.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4716 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0314660.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4716 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0314660.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4068 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0939629.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7749128.exe
PID 4068 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0939629.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7749128.exe
PID 4068 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0939629.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7749128.exe
PID 4940 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7749128.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4940 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7749128.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4940 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7749128.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4940 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7749128.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4940 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7749128.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4940 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7749128.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4940 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7749128.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4940 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7749128.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4940 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7749128.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4940 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7749128.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1616 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5563693.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3767666.exe
PID 1616 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5563693.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3767666.exe
PID 1616 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5563693.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3767666.exe
PID 4072 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3767666.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4072 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3767666.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4072 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3767666.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4072 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3767666.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4072 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3767666.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4072 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3767666.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4072 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3767666.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4072 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3767666.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4824 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2111814.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6936720.exe
PID 4824 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2111814.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6936720.exe
PID 4824 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2111814.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6936720.exe
PID 1988 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6936720.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1988 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6936720.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1988 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6936720.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1988 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6936720.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1988 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6936720.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1988 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6936720.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1988 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6936720.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1988 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6936720.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1988 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6936720.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 896 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\33ce411bac3c34d8ce31f099ff843a43a3f4e99a218e0bdb333cd90083afbdd8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7233630.exe
PID 896 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\33ce411bac3c34d8ce31f099ff843a43a3f4e99a218e0bdb333cd90083afbdd8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7233630.exe
PID 896 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\33ce411bac3c34d8ce31f099ff843a43a3f4e99a218e0bdb333cd90083afbdd8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7233630.exe
PID 3136 wrote to memory of 2492 N/A N/A C:\Windows\system32\cmd.exe
PID 3136 wrote to memory of 2492 N/A N/A C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\33ce411bac3c34d8ce31f099ff843a43a3f4e99a218e0bdb333cd90083afbdd8.exe

"C:\Users\Admin\AppData\Local\Temp\33ce411bac3c34d8ce31f099ff843a43a3f4e99a218e0bdb333cd90083afbdd8.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2111814.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2111814.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5563693.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5563693.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0939629.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0939629.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0314660.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0314660.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4716 -ip 4716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 572

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7749128.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7749128.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4940 -ip 4940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1304 -ip 1304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 556

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3767666.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3767666.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4072 -ip 4072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4072 -s 552

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6936720.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6936720.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1988 -ip 1988

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 584

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7233630.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7233630.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8B14.bat" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe428046f8,0x7ffe42804708,0x7ffe42804718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe428046f8,0x7ffe42804708,0x7ffe42804718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,14611393870434854714,7916173542611099517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2904 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,14611393870434854714,7916173542611099517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,14611393870434854714,7916173542611099517,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3516 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,14611393870434854714,7916173542611099517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3504 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,14611393870434854714,7916173542611099517,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3448 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,14611393870434854714,7916173542611099517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,4853703056752330674,16183958897631711489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\98B2.exe

C:\Users\Admin\AppData\Local\Temp\98B2.exe

C:\Users\Admin\AppData\Local\Temp\9E12.exe

C:\Users\Admin\AppData\Local\Temp\9E12.exe

C:\Users\Admin\AppData\Local\Temp\ss41.exe

"C:\Users\Admin\AppData\Local\Temp\ss41.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\A2B6.exe

C:\Users\Admin\AppData\Local\Temp\A2B6.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,14611393870434854714,7916173542611099517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\A96E.exe

C:\Users\Admin\AppData\Local\Temp\A96E.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,14611393870434854714,7916173542611099517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,14611393870434854714,7916173542611099517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,14611393870434854714,7916173542611099517,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Users\Admin\AppData\Local\Temp\is-D0TJB.tmp\is-9EV96.tmp

"C:\Users\Admin\AppData\Local\Temp\is-D0TJB.tmp\is-9EV96.tmp" /SL4 $E0054 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 3272 -ip 3272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 792

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,14611393870434854714,7916173542611099517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,14611393870434854714,7916173542611099517,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,14611393870434854714,7916173542611099517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,14611393870434854714,7916173542611099517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,14611393870434854714,7916173542611099517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,14611393870434854714,7916173542611099517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,14611393870434854714,7916173542611099517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,14611393870434854714,7916173542611099517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,14611393870434854714,7916173542611099517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,14611393870434854714,7916173542611099517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u RVN:RBvfugTGdvfZCHCgvSoHZdsYt2u1JwYhUP.RIG_CPU -p x --cpu-max-threads-hint=50

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 254.210.247.8.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.61:80 77.91.68.61 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 61.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
MD 176.123.9.85:16482 tcp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 85.9.123.176.in-addr.arpa udp
NL 141.98.6.38:39001 tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 38.6.98.141.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
US 165.227.182.82:3333 rx.unmineable.com tcp
US 8.8.8.8:53 82.182.227.165.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2111814.exe

MD5 40e33ed5ba5c35210fa6e2a783f06e2f
SHA1 94162104e4a967022706551f48a5861fd5bbd6f9
SHA256 50ca83fe91d6c0cefac32a4d8787373c0ba83cc3e948c751e3c612f03d8b16fe
SHA512 2733db145c1fd238841f261c7666c07d998ba04fe99727c7d6ce81ea7bf5e7640b3cb2b1eae10af9e83560cd45c542d05582b3e4accc9962aa11970d28f99f5d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2111814.exe

MD5 40e33ed5ba5c35210fa6e2a783f06e2f
SHA1 94162104e4a967022706551f48a5861fd5bbd6f9
SHA256 50ca83fe91d6c0cefac32a4d8787373c0ba83cc3e948c751e3c612f03d8b16fe
SHA512 2733db145c1fd238841f261c7666c07d998ba04fe99727c7d6ce81ea7bf5e7640b3cb2b1eae10af9e83560cd45c542d05582b3e4accc9962aa11970d28f99f5d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5563693.exe

MD5 f802af9a7313bf88a6fffd5c73a248df
SHA1 ff76bf07b7f30d9985be981dd716f90ba94c9ba7
SHA256 db70bf878a054e3406c04f60af3e7f16c3ae6f165bb151632f723450be20540c
SHA512 ea633e7922bf3d13b1a6cdb942562c742f7ef3cf3197485aff78703c8fa9463af6be3258edd8b54d5dcee4045fb2cc5f554685fc84857fcab9482c48f9d0380a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5563693.exe

MD5 f802af9a7313bf88a6fffd5c73a248df
SHA1 ff76bf07b7f30d9985be981dd716f90ba94c9ba7
SHA256 db70bf878a054e3406c04f60af3e7f16c3ae6f165bb151632f723450be20540c
SHA512 ea633e7922bf3d13b1a6cdb942562c742f7ef3cf3197485aff78703c8fa9463af6be3258edd8b54d5dcee4045fb2cc5f554685fc84857fcab9482c48f9d0380a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0939629.exe

MD5 b9b1b4e965f316b070f583e904b5c14c
SHA1 34d575c84a6c3856f9a4fc2c8106b82c99e70db4
SHA256 c9561bd07adabbe9b16b2cc64b283707c65ca29f69fc4277abbebfcd9aa4c94d
SHA512 6c7ffb4bee88c271088f894f06fa213483c8fb40d8862ef355c3f70c6501a79fc2c069770d474e1bf8c640c6daa03af2cbf7929020c578003a63c51830b90bce

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0939629.exe

MD5 b9b1b4e965f316b070f583e904b5c14c
SHA1 34d575c84a6c3856f9a4fc2c8106b82c99e70db4
SHA256 c9561bd07adabbe9b16b2cc64b283707c65ca29f69fc4277abbebfcd9aa4c94d
SHA512 6c7ffb4bee88c271088f894f06fa213483c8fb40d8862ef355c3f70c6501a79fc2c069770d474e1bf8c640c6daa03af2cbf7929020c578003a63c51830b90bce

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0314660.exe

MD5 68815b1d67b086fcba231960006f3cbd
SHA1 10cb37e68616941dad4f04099788876a5f81deb6
SHA256 88f8db19b1ba0615011a4a7728b13a8ae470a2e4567f2b6ff2f5e1eb3bba85bd
SHA512 e2c103d6e68c097da070970f7210939be6bbb61b8f195dbf1601a67b5f1364479f0cc2f54623147263bfd1cafa1e230ebdbb38d741044353b592f65448099aa6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a0314660.exe

MD5 68815b1d67b086fcba231960006f3cbd
SHA1 10cb37e68616941dad4f04099788876a5f81deb6
SHA256 88f8db19b1ba0615011a4a7728b13a8ae470a2e4567f2b6ff2f5e1eb3bba85bd
SHA512 e2c103d6e68c097da070970f7210939be6bbb61b8f195dbf1601a67b5f1364479f0cc2f54623147263bfd1cafa1e230ebdbb38d741044353b592f65448099aa6

memory/636-28-0x0000000000400000-0x000000000040A000-memory.dmp

memory/636-29-0x00000000741B0000-0x0000000074960000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7749128.exe

MD5 d172e01f7e73a8f88704abc6af635b98
SHA1 7e9d11184f551f5180937e5423553fbf7f335f32
SHA256 d068584734aed302a3041575af0ede0d271020d570514ebc569dbfdd72e79f79
SHA512 b004909981114f031fbbc68387bad01e1fc34d2107ce523d2b5d7fd2514e9d4a9575719e7e35fe7b3820edb6bbac202a29bb6984d109595f21bdcafdec14020b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b7749128.exe

MD5 d172e01f7e73a8f88704abc6af635b98
SHA1 7e9d11184f551f5180937e5423553fbf7f335f32
SHA256 d068584734aed302a3041575af0ede0d271020d570514ebc569dbfdd72e79f79
SHA512 b004909981114f031fbbc68387bad01e1fc34d2107ce523d2b5d7fd2514e9d4a9575719e7e35fe7b3820edb6bbac202a29bb6984d109595f21bdcafdec14020b

memory/1304-33-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1304-34-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1304-35-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1304-37-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3767666.exe

MD5 0486c3073a9bbf86eea8621bbedfb61f
SHA1 e1eaa8cf02ccf41b58c9dcb9379c2258192a315e
SHA256 bc44d3961c2ce246e9b2c48fe72ba589191536c9884c146edc0494fec36fd046
SHA512 ae2ff2062eb30f296d131be05315e9fb2aa343351953903fddaf6a6fce943e0955aadb2ed4489f2b3430edc0afb58ef580b140b1202d16b5dd86c3258a887b89

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c3767666.exe

MD5 0486c3073a9bbf86eea8621bbedfb61f
SHA1 e1eaa8cf02ccf41b58c9dcb9379c2258192a315e
SHA256 bc44d3961c2ce246e9b2c48fe72ba589191536c9884c146edc0494fec36fd046
SHA512 ae2ff2062eb30f296d131be05315e9fb2aa343351953903fddaf6a6fce943e0955aadb2ed4489f2b3430edc0afb58ef580b140b1202d16b5dd86c3258a887b89

memory/1472-41-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1472-42-0x0000000002D00000-0x0000000002D06000-memory.dmp

memory/1472-43-0x00000000741B0000-0x0000000074960000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6936720.exe

MD5 6847196f406ea4cf905b0dc20b2740b5
SHA1 2e6263d442ef5220a86e756a3b03dd90b18ff607
SHA256 5356858cb44d41f678d43f4efed2589820aced5337fd424b70169469e5ef1aca
SHA512 8f2b10e011b4b41ff3ac79c99206291117f50a4b62adb3590142aee6e9bacaa370395390edabf0a339b13269365d43c305924f4a77274225afdb49bd7ae7fbb8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6936720.exe

MD5 6847196f406ea4cf905b0dc20b2740b5
SHA1 2e6263d442ef5220a86e756a3b03dd90b18ff607
SHA256 5356858cb44d41f678d43f4efed2589820aced5337fd424b70169469e5ef1aca
SHA512 8f2b10e011b4b41ff3ac79c99206291117f50a4b62adb3590142aee6e9bacaa370395390edabf0a339b13269365d43c305924f4a77274225afdb49bd7ae7fbb8

memory/1472-47-0x0000000005C20000-0x0000000006238000-memory.dmp

memory/1472-48-0x0000000005710000-0x000000000581A000-memory.dmp

memory/1472-50-0x00000000054F0000-0x0000000005500000-memory.dmp

memory/1472-49-0x0000000005630000-0x0000000005642000-memory.dmp

memory/1472-51-0x0000000005690000-0x00000000056CC000-memory.dmp

memory/4196-52-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1472-53-0x0000000005820000-0x000000000586C000-memory.dmp

memory/636-54-0x00000000741B0000-0x0000000074960000-memory.dmp

memory/4196-55-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7233630.exe

MD5 d169042092c9682815948c0db025a917
SHA1 ede7a9ce2e73fc7560909ea4f0dc0e3f323a07e7
SHA256 6664e896c72cae33e3c536c4de0241ad6a3abf7d162d36ecabcfdc7bb711b30d
SHA512 9fc1fa48a24cf221eb92eec3a9d5e31206d7549fb5e95461971306812babfec8a565b98a34ad76e336c64209f9c54cb92995a2a779a965cd1db023b768741728

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7233630.exe

MD5 d169042092c9682815948c0db025a917
SHA1 ede7a9ce2e73fc7560909ea4f0dc0e3f323a07e7
SHA256 6664e896c72cae33e3c536c4de0241ad6a3abf7d162d36ecabcfdc7bb711b30d
SHA512 9fc1fa48a24cf221eb92eec3a9d5e31206d7549fb5e95461971306812babfec8a565b98a34ad76e336c64209f9c54cb92995a2a779a965cd1db023b768741728

memory/636-60-0x00000000741B0000-0x0000000074960000-memory.dmp

memory/3136-61-0x00000000008D0000-0x00000000008E6000-memory.dmp

memory/4196-63-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1472-65-0x00000000741B0000-0x0000000074960000-memory.dmp

memory/1472-66-0x00000000054F0000-0x0000000005500000-memory.dmp

memory/3136-70-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-71-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-72-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-73-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-74-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-75-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-76-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-78-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-77-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-80-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-81-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-82-0x0000000002D20000-0x0000000002D30000-memory.dmp

memory/3136-83-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-84-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-85-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-87-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-89-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-91-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-93-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-94-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-95-0x0000000000920000-0x0000000000930000-memory.dmp

memory/3136-97-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-98-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-96-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-99-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-100-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-101-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-103-0x0000000002800000-0x0000000002810000-memory.dmp

memory/3136-104-0x0000000002800000-0x0000000002810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8B14.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7a602869e579f44dfa2a249baa8c20fe
SHA1 e0ac4a8508f60cb0408597eb1388b3075e27383f
SHA256 9ecfb98abb311a853f6b532b8eb6861455ca3f0cc3b4b6b844095ad8fb28dfa5
SHA512 1f611034390aaeb815d92514cdeea68c52ceb101ad8ac9f0ae006226bebc15bfa283375b88945f38837c2423d2d397fbf832b85f7db230af6392c565d21f8d10

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d5af55f794f9a10c5943d2f80dde5c5
SHA1 5252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA256 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA512 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d5af55f794f9a10c5943d2f80dde5c5
SHA1 5252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA256 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA512 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d5af55f794f9a10c5943d2f80dde5c5
SHA1 5252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA256 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA512 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

\??\pipe\LOCAL\crashpad_3396_SUMUNRQQKUABXZNG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8b8925a16a257acb5a50c3b443eed2dc
SHA1 7fe549d340c3da278f051d55d334cf9601c979af
SHA256 22dff4542be254ec6cdf4acbe1f6b67aabd2e3cec84ab55159b13109b5f79de6
SHA512 1ac95c0915e93774e2f1a8fc7d17782f3273e18da6215ed0124487fd671f769aee41973c89bcc31c3bb0880544e74e677da19b6c6b8bdfbe2c7b296a8ee0152e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d5af55f794f9a10c5943d2f80dde5c5
SHA1 5252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA256 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA512 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 43bdae203ce75967243ec9c2dff684ae
SHA1 e1f409221663a9e7123eaeb95f2c69ad4691550c
SHA256 d91a4aa2746e88055849276ea44edb24c8f5c6ca0c3c0b32e36d709f717b2358
SHA512 88adee9317d88cc155332a1ffc44f1271f2472e0393a035fa63ee5a1b9463615733e726118273ff445a020d21b5778ef44ca1bcd49fc33ff1c447819dd037674

C:\Users\Admin\AppData\Local\Temp\98B2.exe

MD5 6b254caca548f0be01842a0c4bd4c649
SHA1 79bbeed18d08c3010e8954f6d5c9f52967dcc32e
SHA256 01a7afff3220c1a442e3b8bc41dbf4036e9c223f9aab374265d9beae0709e434
SHA512 b69f8c71f2b71268150cc74e8e842b6526e87c5e944d163bb3def85cc919428c249a733ca9bbefc4cf4b80a8dbf6961b8e6f0333194713faf10551b8eb97d3ff

C:\Users\Admin\AppData\Local\Temp\98B2.exe

MD5 6b254caca548f0be01842a0c4bd4c649
SHA1 79bbeed18d08c3010e8954f6d5c9f52967dcc32e
SHA256 01a7afff3220c1a442e3b8bc41dbf4036e9c223f9aab374265d9beae0709e434
SHA512 b69f8c71f2b71268150cc74e8e842b6526e87c5e944d163bb3def85cc919428c249a733ca9bbefc4cf4b80a8dbf6961b8e6f0333194713faf10551b8eb97d3ff

\??\pipe\LOCAL\crashpad_1320_HCYGQIBHNCSCBZCF

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\9E12.exe

MD5 ef11a166e73f258d4159c1904485623c
SHA1 bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e
SHA256 dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747
SHA512 2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

C:\Users\Admin\AppData\Local\Temp\9E12.exe

MD5 ef11a166e73f258d4159c1904485623c
SHA1 bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e
SHA256 dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747
SHA512 2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

memory/1316-257-0x000001DB10C10000-0x000001DB10CF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

memory/1316-279-0x000001DB2B190000-0x000001DB2B272000-memory.dmp

memory/1316-278-0x00007FFE3F7F0000-0x00007FFE402B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

memory/788-293-0x00007FF7F5610000-0x00007FF7F56E9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/2820-300-0x0000000000800000-0x0000000000974000-memory.dmp

memory/2820-303-0x00000000741B0000-0x0000000074960000-memory.dmp

memory/1484-304-0x0000000000560000-0x0000000000738000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A2B6.exe

MD5 52c2f13a9fa292d1f32439dde355ff71
SHA1 03a9aa82a8070de26b9a347cfbd4090fd239f8df
SHA256 020c6da8f2bbd3a3f15dcbc8808255c2650df37f2b499b680e69d9e3cb1c1316
SHA512 097d5415d7ed0ebb6b6f89cc38b29471a47ef99df79e7c6b0b01592174dfb115abdf496126bb7177527c252803bcc53a31b8c40d2f1aa65fae4331b5afe9e36a

C:\Users\Admin\AppData\Local\Temp\A2B6.exe

MD5 52c2f13a9fa292d1f32439dde355ff71
SHA1 03a9aa82a8070de26b9a347cfbd4090fd239f8df
SHA256 020c6da8f2bbd3a3f15dcbc8808255c2650df37f2b499b680e69d9e3cb1c1316
SHA512 097d5415d7ed0ebb6b6f89cc38b29471a47ef99df79e7c6b0b01592174dfb115abdf496126bb7177527c252803bcc53a31b8c40d2f1aa65fae4331b5afe9e36a

memory/1316-297-0x000001DB2B270000-0x000001DB2B2BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/1316-292-0x000001DB2B340000-0x000001DB2B410000-memory.dmp

memory/1484-306-0x0000000000560000-0x0000000000738000-memory.dmp

memory/2168-307-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

memory/1316-281-0x000001DB2B330000-0x000001DB2B340000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

C:\Users\Admin\AppData\Local\Temp\A96E.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/1484-327-0x0000000000560000-0x0000000000738000-memory.dmp

memory/2168-328-0x00000000741B0000-0x0000000074960000-memory.dmp

memory/2860-329-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/2168-338-0x0000000008110000-0x00000000086B4000-memory.dmp

memory/2168-353-0x0000000007C40000-0x0000000007CD2000-memory.dmp

memory/2168-356-0x0000000007CE0000-0x0000000007CEA000-memory.dmp

memory/788-360-0x0000000002AA0000-0x0000000002C11000-memory.dmp

memory/4440-362-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/3272-375-0x0000000000470000-0x00000000004CA000-memory.dmp

memory/1316-371-0x00007FFE3F7F0000-0x00007FFE402B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/2860-354-0x00000292D7C60000-0x00000292D7C70000-memory.dmp

memory/2860-357-0x00000292D7AF0000-0x00000292D7BF2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5ddc8c765c735ef2b9ddab5f99357ada
SHA1 7b532b8b121640114b399fd26a16ac3ea4e70fd9
SHA256 2f0f2ff5ac7adc5ab3098180b2fea4d7736040e53c41b4f6df62af6bdbb9e776
SHA512 b8eb9c022327ef60d34958fe6f3ad04e07096d96640ef8dfa38b472ec20d6e14e504c7c21bd44cc61adbde430c768638804a643ed6e59f8645100892cbbd355b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 43bdae203ce75967243ec9c2dff684ae
SHA1 e1f409221663a9e7123eaeb95f2c69ad4691550c
SHA256 d91a4aa2746e88055849276ea44edb24c8f5c6ca0c3c0b32e36d709f717b2358
SHA512 88adee9317d88cc155332a1ffc44f1271f2472e0393a035fa63ee5a1b9463615733e726118273ff445a020d21b5778ef44ca1bcd49fc33ff1c447819dd037674

C:\Users\Admin\AppData\Local\Temp\A96E.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

memory/788-343-0x0000000002C20000-0x0000000002D51000-memory.dmp

memory/2860-341-0x00007FFE3F7F0000-0x00007FFE402B1000-memory.dmp

memory/2168-374-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

memory/4440-384-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5ddc8c765c735ef2b9ddab5f99357ada
SHA1 7b532b8b121640114b399fd26a16ac3ea4e70fd9
SHA256 2f0f2ff5ac7adc5ab3098180b2fea4d7736040e53c41b4f6df62af6bdbb9e776
SHA512 b8eb9c022327ef60d34958fe6f3ad04e07096d96640ef8dfa38b472ec20d6e14e504c7c21bd44cc61adbde430c768638804a643ed6e59f8645100892cbbd355b

memory/2820-390-0x00000000741B0000-0x0000000074960000-memory.dmp

memory/2028-414-0x00007FFE3F7F0000-0x00007FFE402B1000-memory.dmp

memory/2028-434-0x000000001B4C0000-0x000000001B4D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/3272-455-0x0000000000400000-0x0000000000469000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A96E.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

memory/2860-469-0x00000292BD990000-0x00000292BD998000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-0AOOF.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-0AOOF.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

C:\Users\Admin\AppData\Local\Temp\is-0AOOF.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

C:\Users\Admin\AppData\Local\Temp\A96E.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 394d4d59f272d7c7a2b2b9c490a7e3a6
SHA1 f1e4b74ee68e9617b0482f700203b7cabfd6c95e
SHA256 235e589ef282938e8cd6c852273c070dd408e72714060390887a1ce677735618
SHA512 0d15e52333f606d2aaff817f4335f9f21d1159f2799db2b00ebbd13ae16043f6f774aaffdfd13b48f1a2d1ee024aad9fefd6ff6037d22dc282840dc304da2182

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 e59595713446465f193616d3a210724d
SHA1 5361dfec31f93fa98cc801e9b3f0fe64227594a9
SHA256 921dabadca39472e161578722f5f7e70854f8dcf02997732b9c7a8534178fd75
SHA512 1314c1d9306a1860e91b21472b37ef79a4ce605eba2d517d28eaaa8a41796776bb53089fc8d29e70b3dfd951632e1fb2c3afaf4deb42dc66e82a72ff42dcca22

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

C:\Users\Admin\AppData\Local\Temp\is-D0TJB.tmp\is-9EV96.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

C:\Users\Admin\AppData\Local\Temp\is-D0TJB.tmp\is-9EV96.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f29174005bd07d5b65884fdcbe6599e9
SHA1 61fbaa286adb8122d57dbea63d789708aa1f5fe8
SHA256 a1eccecab8f064cd1166d3a6f2906d82c2ef85b46a6aade5b47b7c402c608965
SHA512 5d9164f12fcf04fcf411aed5661adfba1be9f8be83f7913f5a0ec106c74c94d701b57109a7caf21997002f300b508f898fb486b89145e2ed9120e0743899eb01

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 ea3eb562ae6832a2bf0785ceadcfec6b
SHA1 a55773b14d3350c6fdf9075dda3cba0f8d038247
SHA256 e27b73ea096a878a86c216f6903a35b06353f68379f9c9d000d9a32fe0d4def6
SHA512 a98bc0f24e22535bf59dee45e7aefbccd24ef9ee4bb9c866cb29653bda9bfe714405dabef18260b3209cd542f714df6e04c2d39478b0d22e98019a52b08b1649

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8f7cb8ad679749dbd4bf907cecf6da86
SHA1 00067ac295dcf216056de8e04e29ca81a3250564
SHA256 01dbedab858375448e9ee048619cbb8e18516074ce9e8e510245bff137ffbaa6
SHA512 19390e06fe3ec8ffa1f0dd19c41844e914288ece64f1eb62864dbc27b2cf4c625ca60b28328225c3f73b929c831b3ae15dc8ea7199134306820393d7e868f902

memory/2028-381-0x0000000000730000-0x0000000000738000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4260ca824f3e6de7df7338e88a45d33b
SHA1 8b68dcc9a7c65385e9c9c3768abf8ba819c67978
SHA256 e5ac5e6c126e7fedb8436f93c42510564106976ea578a5228198951495b68db7
SHA512 a7edf958aa5f633cf43b97d6fec605477b39b537e17b3fdab7b6eb3e2c4204323dd7366a82308d35993cdc371a61fe5e761afda21f2cf11d7dd2868dcff78903

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d5af55f794f9a10c5943d2f80dde5c5
SHA1 5252adf87d6bd769f2c39b9e8eba77b087a0160d
SHA256 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764
SHA512 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71

memory/5596-525-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/5596-557-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 ec6aae2bb7d8781226ea61adca8f0586
SHA1 d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3
SHA256 b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599
SHA512 aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/1136-587-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3652-601-0x0000000000400000-0x00000000004B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yv4ex2xv.vf4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4996-629-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/3136-630-0x0000000002D60000-0x0000000002D76000-memory.dmp

memory/1136-631-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4996-655-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/820-658-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/820-660-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/820-659-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/820-662-0x000001D9C6FF0000-0x000001D9C7010000-memory.dmp

memory/820-668-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/820-669-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/820-670-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/820-671-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/820-672-0x0000000140000000-0x00000001407CF000-memory.dmp