Malware Analysis Report

2025-08-06 03:37

Sample ID 230923-yrzs9sca29
Target 2d93013237a3db383bd2001b9e953abc5409d73164a5b6bca93f3e76c16f2650
SHA256 2d93013237a3db383bd2001b9e953abc5409d73164a5b6bca93f3e76c16f2650
Tags
fabookie glupteba healer redline smokeloader xmrig nanya up3 backdoor discovery dropper evasion infostealer loader miner persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d93013237a3db383bd2001b9e953abc5409d73164a5b6bca93f3e76c16f2650

Threat Level: Known bad

The file 2d93013237a3db383bd2001b9e953abc5409d73164a5b6bca93f3e76c16f2650 was found to be: Known bad.

Malicious Activity Summary

fabookie glupteba healer redline smokeloader xmrig nanya up3 backdoor discovery dropper evasion infostealer loader miner persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

SmokeLoader

Detects Healer an antivirus disabler dropper

Glupteba payload

Healer

RedLine payload

Glupteba

RedLine

xmrig

Fabookie

Detect Fabookie payload

XMRig Miner payload

Downloads MZ/PE file

Uses the VBS compiler for execution

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Program crash

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-23 20:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-23 20:01

Reported

2023-09-23 20:04

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2d93013237a3db383bd2001b9e953abc5409d73164a5b6bca93f3e76c16f2650.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9DE2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2d93013237a3db383bd2001b9e953abc5409d73164a5b6bca93f3e76c16f2650.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9353222.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6383930.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2591225.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PA Previewer\is-N69G4.tmp C:\Users\Admin\AppData\Local\Temp\is-8E8S8.tmp\is-Q41MU.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-SH2JS.tmp C:\Users\Admin\AppData\Local\Temp\is-8E8S8.tmp\is-Q41MU.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-4OORP.tmp C:\Users\Admin\AppData\Local\Temp\is-8E8S8.tmp\is-Q41MU.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-8E8S8.tmp\is-Q41MU.tmp N/A
File opened for modification C:\Program Files (x86)\PA Previewer\previewer.exe C:\Users\Admin\AppData\Local\Temp\is-8E8S8.tmp\is-Q41MU.tmp N/A
File created C:\Program Files (x86)\PA Previewer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-8E8S8.tmp\is-Q41MU.tmp N/A
File created C:\Program Files (x86)\PA Previewer\is-MV7MK.tmp C:\Users\Admin\AppData\Local\Temp\is-8E8S8.tmp\is-Q41MU.tmp N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A1DB.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PA Previewer\previewer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1116 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2d93013237a3db383bd2001b9e953abc5409d73164a5b6bca93f3e76c16f2650.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9353222.exe
PID 1116 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2d93013237a3db383bd2001b9e953abc5409d73164a5b6bca93f3e76c16f2650.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9353222.exe
PID 1116 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\2d93013237a3db383bd2001b9e953abc5409d73164a5b6bca93f3e76c16f2650.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9353222.exe
PID 4392 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9353222.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6383930.exe
PID 4392 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9353222.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6383930.exe
PID 4392 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9353222.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6383930.exe
PID 3404 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6383930.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2591225.exe
PID 3404 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6383930.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2591225.exe
PID 3404 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6383930.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2591225.exe
PID 5016 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2591225.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8715372.exe
PID 5016 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2591225.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8715372.exe
PID 5016 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2591225.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8715372.exe
PID 3400 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8715372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3400 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8715372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3400 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8715372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3400 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8715372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3400 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8715372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3400 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8715372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3400 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8715372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3400 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8715372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5016 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2591225.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2192862.exe
PID 5016 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2591225.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2192862.exe
PID 5016 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2591225.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2192862.exe
PID 4516 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2192862.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4516 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2192862.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4516 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2192862.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4516 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2192862.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4516 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2192862.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4516 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2192862.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4516 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2192862.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4516 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2192862.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4516 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2192862.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4516 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2192862.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4516 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2192862.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4516 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2192862.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4516 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2192862.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3404 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6383930.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2631785.exe
PID 3404 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6383930.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2631785.exe
PID 3404 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6383930.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2631785.exe
PID 1456 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2631785.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1456 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2631785.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1456 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2631785.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1456 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2631785.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1456 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2631785.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1456 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2631785.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1456 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2631785.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1456 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2631785.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4392 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9353222.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6272247.exe
PID 4392 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9353222.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6272247.exe
PID 4392 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9353222.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6272247.exe
PID 1708 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6272247.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1708 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6272247.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1708 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6272247.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1708 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6272247.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1708 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6272247.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1708 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6272247.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1116 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\2d93013237a3db383bd2001b9e953abc5409d73164a5b6bca93f3e76c16f2650.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8263180.exe
PID 1116 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\2d93013237a3db383bd2001b9e953abc5409d73164a5b6bca93f3e76c16f2650.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8263180.exe
PID 1116 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\2d93013237a3db383bd2001b9e953abc5409d73164a5b6bca93f3e76c16f2650.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8263180.exe
PID 3196 wrote to memory of 1676 N/A N/A C:\Windows\system32\cmd.exe
PID 3196 wrote to memory of 1676 N/A N/A C:\Windows\system32\cmd.exe
PID 1676 wrote to memory of 4156 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 4156 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4156 wrote to memory of 1440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2d93013237a3db383bd2001b9e953abc5409d73164a5b6bca93f3e76c16f2650.exe

"C:\Users\Admin\AppData\Local\Temp\2d93013237a3db383bd2001b9e953abc5409d73164a5b6bca93f3e76c16f2650.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9353222.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9353222.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6383930.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6383930.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2591225.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2591225.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8715372.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8715372.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3400 -ip 3400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 552

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2192862.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2192862.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4516 -ip 4516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4516 -s 572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3520 -ip 3520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3520 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2631785.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2631785.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1456 -ip 1456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 552

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6272247.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6272247.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1708 -ip 1708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 552

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8263180.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8263180.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9064.bat" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd213a46f8,0x7ffd213a4708,0x7ffd213a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd213a46f8,0x7ffd213a4708,0x7ffd213a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,17101349321172774947,3942699088319058248,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,17101349321172774947,3942699088319058248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2928 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,17101349321172774947,3942699088319058248,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2884 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,17101349321172774947,3942699088319058248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2824 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,17101349321172774947,3942699088319058248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2808 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,6079877712253068752,5120596992144408072,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,17101349321172774947,3942699088319058248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,6079877712253068752,5120596992144408072,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\9DE2.exe

C:\Users\Admin\AppData\Local\Temp\9DE2.exe

C:\Users\Admin\AppData\Local\Temp\A1DB.exe

C:\Users\Admin\AppData\Local\Temp\A1DB.exe

C:\Users\Admin\AppData\Local\Temp\ss41.exe

"C:\Users\Admin\AppData\Local\Temp\ss41.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\A6DD.exe

C:\Users\Admin\AppData\Local\Temp\A6DD.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,17101349321172774947,3942699088319058248,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,17101349321172774947,3942699088319058248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\AD08.exe

C:\Users\Admin\AppData\Local\Temp\AD08.exe

C:\Users\Admin\AppData\Local\Temp\kos1.exe

"C:\Users\Admin\AppData\Local\Temp\kos1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\set16.exe

"C:\Users\Admin\AppData\Local\Temp\set16.exe"

C:\Users\Admin\AppData\Local\Temp\kos.exe

"C:\Users\Admin\AppData\Local\Temp\kos.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\is-8E8S8.tmp\is-Q41MU.tmp

"C:\Users\Admin\AppData\Local\Temp\is-8E8S8.tmp\is-Q41MU.tmp" /SL4 $60090 "C:\Users\Admin\AppData\Local\Temp\set16.exe" 1232936 52224

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -i

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 8

C:\Program Files (x86)\PA Previewer\previewer.exe

"C:\Program Files (x86)\PA Previewer\previewer.exe" -s

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,17101349321172774947,3942699088319058248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,17101349321172774947,3942699088319058248,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,17101349321172774947,3942699088319058248,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,17101349321172774947,3942699088319058248,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,17101349321172774947,3942699088319058248,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u RVN:RBvfugTGdvfZCHCgvSoHZdsYt2u1JwYhUP.RIG_CPU -p x --cpu-max-threads-hint=50

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.231:80 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.61:80 77.91.68.61 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 61.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.35:443 facebook.com tcp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 z.nnnaajjjgc.com udp
MU 156.236.72.121:443 z.nnnaajjjgc.com tcp
US 8.8.8.8:53 121.72.236.156.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
NL 141.98.6.38:39001 tcp
US 8.8.8.8:53 38.6.98.141.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
MD 176.123.9.85:16482 tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
MD 176.123.9.142:37637 tcp
US 8.8.8.8:53 85.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 142.9.123.176.in-addr.arpa udp
US 8.8.8.8:53 app.nnnaajjjgc.com udp
HK 154.221.26.108:80 app.nnnaajjjgc.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 rx.unmineable.com udp
US 165.227.182.82:3333 rx.unmineable.com tcp
US 8.8.8.8:53 82.182.227.165.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9353222.exe

MD5 2807b5cff08f68b282a34de70955641d
SHA1 95477cab63f1adcdb48f4807ab4523dbb1a98ac7
SHA256 0141d7cdb1f2ff33691e5a53e79b879100193fe2dd1317dff71f39b275bcbb5d
SHA512 a7829b56702675c82eb753045dfeb4d3162ceb358d453e24ea856fceea77aa8ba3a9f27ceed43de9d18f238f7b6a0a63d487e9f600a032aa553d4a745ede9cb9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9353222.exe

MD5 2807b5cff08f68b282a34de70955641d
SHA1 95477cab63f1adcdb48f4807ab4523dbb1a98ac7
SHA256 0141d7cdb1f2ff33691e5a53e79b879100193fe2dd1317dff71f39b275bcbb5d
SHA512 a7829b56702675c82eb753045dfeb4d3162ceb358d453e24ea856fceea77aa8ba3a9f27ceed43de9d18f238f7b6a0a63d487e9f600a032aa553d4a745ede9cb9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6383930.exe

MD5 ba8189becc83c18b0b5f746002a71a9c
SHA1 ec68f94148565667284775d36a23340f55c0d9ad
SHA256 84511f9b4126f42fc50f3391438e9c1dd2e4fe44152cd027635fa1b29ea7d428
SHA512 20d644d4a377c83d9fa422bd8268f75fac955679c2ba1a7319ede34526d760371ba5775718707e048add28dd9b37c74b299f6bcbc8f2d787eb36ca92953c6c05

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6383930.exe

MD5 ba8189becc83c18b0b5f746002a71a9c
SHA1 ec68f94148565667284775d36a23340f55c0d9ad
SHA256 84511f9b4126f42fc50f3391438e9c1dd2e4fe44152cd027635fa1b29ea7d428
SHA512 20d644d4a377c83d9fa422bd8268f75fac955679c2ba1a7319ede34526d760371ba5775718707e048add28dd9b37c74b299f6bcbc8f2d787eb36ca92953c6c05

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2591225.exe

MD5 ffe839c2ef378c4e631890f051b76dbd
SHA1 c17b0f96739136548093bd67f5be0b6899cd7b56
SHA256 dd9f7b4e354750de24e91758995a6e8761471f586ce0297f21f04c411bb352db
SHA512 faa8b4d09007ebb26a15b395da33b82bbc2a16c977c0f829eee8fb27469764ff5e3380ec9a0987155781abb2b91b170f4b52a44fab79214fba23919b5c1d8137

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2591225.exe

MD5 ffe839c2ef378c4e631890f051b76dbd
SHA1 c17b0f96739136548093bd67f5be0b6899cd7b56
SHA256 dd9f7b4e354750de24e91758995a6e8761471f586ce0297f21f04c411bb352db
SHA512 faa8b4d09007ebb26a15b395da33b82bbc2a16c977c0f829eee8fb27469764ff5e3380ec9a0987155781abb2b91b170f4b52a44fab79214fba23919b5c1d8137

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8715372.exe

MD5 de8c87bd187c6ffbc860e7534cddc1ff
SHA1 8e30b17c74a8556385c9ec99ed63ab83822213e9
SHA256 fd5821650cc02e70bc5f7c3f7d4ddc70a4584a72f7d5c28912414dcccb4612f1
SHA512 217e879fdd952263b2751422ae50ee99e6f46184b32098f45b7f96b96d182e484012c3f486999267630e9a5f3264d8080dc82a7e867ecff54be540010da076a9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8715372.exe

MD5 de8c87bd187c6ffbc860e7534cddc1ff
SHA1 8e30b17c74a8556385c9ec99ed63ab83822213e9
SHA256 fd5821650cc02e70bc5f7c3f7d4ddc70a4584a72f7d5c28912414dcccb4612f1
SHA512 217e879fdd952263b2751422ae50ee99e6f46184b32098f45b7f96b96d182e484012c3f486999267630e9a5f3264d8080dc82a7e867ecff54be540010da076a9

memory/3172-28-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3172-29-0x0000000074050000-0x0000000074800000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2192862.exe

MD5 ca6e2730611198772dd7db8d994bea9b
SHA1 5d7657f8871f59c88ce7893b2655b7f95c0f427f
SHA256 fd0f76dfa761397c868756da5b96ddf0eeed84e68055a90d7b78b18beb13312e
SHA512 0e9de8ea005f9cef0a59aeebc2601dffc6ce5faadb0a4370d95cdf89083f3e478b14d927c6e0f86cedaddcbecd30a1ac34e23b083cdec84f24e51e3df12088c9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2192862.exe

MD5 ca6e2730611198772dd7db8d994bea9b
SHA1 5d7657f8871f59c88ce7893b2655b7f95c0f427f
SHA256 fd0f76dfa761397c868756da5b96ddf0eeed84e68055a90d7b78b18beb13312e
SHA512 0e9de8ea005f9cef0a59aeebc2601dffc6ce5faadb0a4370d95cdf89083f3e478b14d927c6e0f86cedaddcbecd30a1ac34e23b083cdec84f24e51e3df12088c9

memory/3520-33-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3520-34-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3520-35-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3520-37-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2631785.exe

MD5 9643e41ed4d061f5377b08d793b7bb71
SHA1 937bff829431df63c5be227dc3b05088209d84c1
SHA256 40dbb745d8b25ea59a21d375f3cf0e2a2e100c2e4ea0f945b62417136b1de1bb
SHA512 75007d877ff761135493829f4625cf513762f6ab678f1f581a01fdec837abb5b151c3910f7a144715670cd5900aa8d2d224981e8c506653a551be6fd46d5d9a9

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2631785.exe

MD5 9643e41ed4d061f5377b08d793b7bb71
SHA1 937bff829431df63c5be227dc3b05088209d84c1
SHA256 40dbb745d8b25ea59a21d375f3cf0e2a2e100c2e4ea0f945b62417136b1de1bb
SHA512 75007d877ff761135493829f4625cf513762f6ab678f1f581a01fdec837abb5b151c3910f7a144715670cd5900aa8d2d224981e8c506653a551be6fd46d5d9a9

memory/3876-41-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3876-43-0x0000000074050000-0x0000000074800000-memory.dmp

memory/3876-42-0x0000000000ED0000-0x0000000000ED6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6272247.exe

MD5 1bcfaf73ef2c41d1f8e313c13cd8735d
SHA1 cb9d0942fafdeccda0be382114760f119ca580a3
SHA256 8aaf0506d70a3ed66aa38e43cb49cf2d241e8836e5df597619b15fdd36924bc7
SHA512 48595d5fd25dc6a2c28e99b427a30c6e7576628088c94bef2b9ce418894acf97aa6f53b978c637625ba71a3ab8a232eb5f58ccbea5ea58877593947968f4ae58

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d6272247.exe

MD5 1bcfaf73ef2c41d1f8e313c13cd8735d
SHA1 cb9d0942fafdeccda0be382114760f119ca580a3
SHA256 8aaf0506d70a3ed66aa38e43cb49cf2d241e8836e5df597619b15fdd36924bc7
SHA512 48595d5fd25dc6a2c28e99b427a30c6e7576628088c94bef2b9ce418894acf97aa6f53b978c637625ba71a3ab8a232eb5f58ccbea5ea58877593947968f4ae58

memory/3876-47-0x000000000A890000-0x000000000AEA8000-memory.dmp

memory/3876-48-0x000000000A3E0000-0x000000000A4EA000-memory.dmp

memory/3876-49-0x000000000A320000-0x000000000A332000-memory.dmp

memory/3172-50-0x0000000074050000-0x0000000074800000-memory.dmp

memory/3876-51-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

memory/3876-52-0x000000000A380000-0x000000000A3BC000-memory.dmp

memory/1300-53-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1300-54-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3876-55-0x000000000A4F0000-0x000000000A53C000-memory.dmp

memory/3172-57-0x0000000074050000-0x0000000074800000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8263180.exe

MD5 8d80cb6727cb7390740c44acd21bf8bb
SHA1 f72f73fa3e925ded0697c40fc625b2ff8d0aa560
SHA256 115f90df8513f0d7d4c0834ad7e2f6dc86f7d3da65f0cb224813f74fc780cf50
SHA512 79b6385ccaa84367d7acae400d4b21ecf8fa5f18378da87f58def8a409d8045e0e3ec387c02091c2416817e2ee350a5ba15aba64848525581ef1c34aac0c974f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e8263180.exe

MD5 8d80cb6727cb7390740c44acd21bf8bb
SHA1 f72f73fa3e925ded0697c40fc625b2ff8d0aa560
SHA256 115f90df8513f0d7d4c0834ad7e2f6dc86f7d3da65f0cb224813f74fc780cf50
SHA512 79b6385ccaa84367d7acae400d4b21ecf8fa5f18378da87f58def8a409d8045e0e3ec387c02091c2416817e2ee350a5ba15aba64848525581ef1c34aac0c974f

memory/3196-61-0x0000000002BA0000-0x0000000002BB6000-memory.dmp

memory/1300-62-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3876-65-0x0000000074050000-0x0000000074800000-memory.dmp

memory/3876-66-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9064.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6351be8b63227413881e5dfb033459cc
SHA1 f24489be1e693dc22d6aac7edd692833c623d502
SHA256 e24cda01850900bdb3a4ae5f590a76565664d7689026c146eb96bcd197dac88b
SHA512 66e249488a2f9aa020834f3deca7e4662574dcab0cbb684f21f295f46d71b11f9494b075288189d9df29e4f3414d4b86c27bf8823005d400a5946d7b477f0aef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

\??\pipe\LOCAL\crashpad_2220_CXXPZLPAAPYPXIEC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bc1181a759e35d7c0bd6fd763597149b
SHA1 1b93add3519b13bd54614c4a502079d272fbf0ea
SHA256 53c6698513d7c517d3c57f90750bc2e60beb144361291ee80ba8e6f4e62afd97
SHA512 160284e97b8dfdff989702342abca0a0b2c8123a29317a6a25fd7fa7bec48bd8ff14cbe165188491c00dd889e41e2a1c033f2eddd64cc4bf442fef90e3af2076

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 adaa984e8ab89558dd83063589addcf8
SHA1 83f39be35633fb47ebb23b2234d6617f4ca45643
SHA256 029676fc93658c40002b5fc36da91b7a4a6052a4f43c9f414d20216c7059eff6
SHA512 e3b5eefbd05acbf18718639142f054088e808726cd9e29f2d1e61b7ef425df8bc43a02f327d765f21103c0d644ee704bde31fd4a2bb8257ee1ceecb40f269c97

\??\pipe\LOCAL\crashpad_4156_YLMKUIRUUOZPFRSY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\9DE2.exe

MD5 6b254caca548f0be01842a0c4bd4c649
SHA1 79bbeed18d08c3010e8954f6d5c9f52967dcc32e
SHA256 01a7afff3220c1a442e3b8bc41dbf4036e9c223f9aab374265d9beae0709e434
SHA512 b69f8c71f2b71268150cc74e8e842b6526e87c5e944d163bb3def85cc919428c249a733ca9bbefc4cf4b80a8dbf6961b8e6f0333194713faf10551b8eb97d3ff

C:\Users\Admin\AppData\Local\Temp\9DE2.exe

MD5 6b254caca548f0be01842a0c4bd4c649
SHA1 79bbeed18d08c3010e8954f6d5c9f52967dcc32e
SHA256 01a7afff3220c1a442e3b8bc41dbf4036e9c223f9aab374265d9beae0709e434
SHA512 b69f8c71f2b71268150cc74e8e842b6526e87c5e944d163bb3def85cc919428c249a733ca9bbefc4cf4b80a8dbf6961b8e6f0333194713faf10551b8eb97d3ff

C:\Users\Admin\AppData\Local\Temp\A1DB.exe

MD5 ef11a166e73f258d4159c1904485623c
SHA1 bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e
SHA256 dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747
SHA512 2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

C:\Users\Admin\AppData\Local\Temp\A1DB.exe

MD5 ef11a166e73f258d4159c1904485623c
SHA1 bc1f4c685f4ec4f617f79e3f3f8c82564cccfc4e
SHA256 dc24474e1211ef4554c63f4d70380cc71063466c3d0a07e1a4d0726e0f587747
SHA512 2db0b963f92ce1f0b965011f250361e0951702267e8502a7648a726c407941e6b95abb360545e61ff7914c66258ee33a86766b877da3ad4603d68901fbd95708

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

memory/2788-220-0x000001FA70EF0000-0x000001FA70FD6000-memory.dmp

memory/5048-233-0x00007FF7F1680000-0x00007FF7F1759000-memory.dmp

memory/2788-232-0x00007FFD1DEC0000-0x00007FFD1E981000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

memory/2788-245-0x000001FA73500000-0x000001FA735E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

memory/2788-250-0x000001FA734F0000-0x000001FA73500000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/2788-260-0x000001FA735E0000-0x000001FA7362C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

memory/1920-265-0x0000000000900000-0x0000000000AD8000-memory.dmp

memory/236-268-0x0000000000B70000-0x0000000000CE4000-memory.dmp

memory/236-269-0x0000000074050000-0x0000000074800000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos1.exe

MD5 85b698363e74ba3c08fc16297ddc284e
SHA1 171cfea4a82a7365b241f16aebdb2aad29f4f7c0
SHA256 78efcbb0c6eb6a4c76c036adc65154b8ff028849f79d508e45babfb527cb7cfe
SHA512 7e4816c43e0addba088709948e8aedc9e39d6802c74a75cfbc2a0e739b44c5b5eef2bb2453b7032c758b0bdb38e4e7a598aa29be015796361b81d7f9e8027796

C:\Users\Admin\AppData\Local\Temp\A6DD.exe

MD5 52c2f13a9fa292d1f32439dde355ff71
SHA1 03a9aa82a8070de26b9a347cfbd4090fd239f8df
SHA256 020c6da8f2bbd3a3f15dcbc8808255c2650df37f2b499b680e69d9e3cb1c1316
SHA512 097d5415d7ed0ebb6b6f89cc38b29471a47ef99df79e7c6b0b01592174dfb115abdf496126bb7177527c252803bcc53a31b8c40d2f1aa65fae4331b5afe9e36a

C:\Users\Admin\AppData\Local\Temp\AD08.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

C:\Users\Admin\AppData\Local\Temp\A6DD.exe

MD5 52c2f13a9fa292d1f32439dde355ff71
SHA1 03a9aa82a8070de26b9a347cfbd4090fd239f8df
SHA256 020c6da8f2bbd3a3f15dcbc8808255c2650df37f2b499b680e69d9e3cb1c1316
SHA512 097d5415d7ed0ebb6b6f89cc38b29471a47ef99df79e7c6b0b01592174dfb115abdf496126bb7177527c252803bcc53a31b8c40d2f1aa65fae4331b5afe9e36a

memory/2788-249-0x000001FA73420000-0x000001FA734F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d974162e0cccb469e745708ced4124c0
SHA1 2749ebc0ddaa6ae0c59c1f92f6dbb509cc0f5929
SHA256 77793c069040127f89af88feb293829bd66c1df811b31d5b709868f0c9dd1df5
SHA512 ab716b96f09c5a8c1a957c209ed13958f5a21abcd488437aab8f1b1107e758207e3a51c264b39463256bf58a2266de771fa73477b0555be6cc4221f84e3684a1

memory/1920-274-0x0000000000900000-0x0000000000AD8000-memory.dmp

memory/208-279-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/1556-278-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AD08.exe

MD5 bf58b6afac98febc716a85be5b8e9d9e
SHA1 4a36385b3f8e8a84a995826d77fcd8e76eba7328
SHA256 16b88051fd1e27d08d1408bb51002dd25edb88292807a92ee25ba5f4c0895b8d
SHA512 a3f8deabbb35e4d4928ec6cf836cdef1a57aed879ce10646d3f8cd9cccf93c0c80c89d1e82dc6c9c558f61429eb6416f5ecd8235f8933f90db6bb46f7cf165ec

memory/208-282-0x0000025C50300000-0x0000025C50402000-memory.dmp

memory/2788-287-0x00007FFD1DEC0000-0x00007FFD1E981000-memory.dmp

memory/208-296-0x0000025C50480000-0x0000025C50490000-memory.dmp

memory/344-300-0x0000000000400000-0x0000000000413000-memory.dmp

memory/1920-302-0x0000000000900000-0x0000000000AD8000-memory.dmp

memory/3004-309-0x0000000000400000-0x0000000000469000-memory.dmp

memory/3004-301-0x0000000000540000-0x000000000059A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

memory/1556-320-0x0000000008070000-0x0000000008614000-memory.dmp

memory/1556-322-0x0000000007BA0000-0x0000000007C32000-memory.dmp

memory/208-323-0x0000025C4E9D0000-0x0000025C4E9D8000-memory.dmp

memory/208-324-0x0000025C68CB0000-0x0000025C68D06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

memory/1556-303-0x0000000074050000-0x0000000074800000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Temp\set16.exe

MD5 22d5269955f256a444bd902847b04a3b
SHA1 41a83de3273270c3bd5b2bd6528bdc95766aa268
SHA256 ab16986253bd187e3134f27495ef0db4b648f769721bc8c84b708c7ba69156fd
SHA512 d85ada5d8c2c02932a79241a484b088ba70bda0497fd8ad638300935a16841d7cbc8258be93055907cb533bc534fdd48c7c91109fa22f87e65a6b374cd51055c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/208-288-0x00007FFD1DEC0000-0x00007FFD1E981000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 2527628a2b3b4343c614e48132ab3edb
SHA1 0d60f573a21251dcfd61d28a7a0566dc29d38aa6
SHA256 04ce968bedd7f177b35e130887aee1ec599e3d7b72f45f370f3ade343950b6bf
SHA512 416b0990011e24ba2d03d3859b63a2b2ba4494aafeb6cd27efd335055ab063bd677902b74faa1162493dae827a96ef768b957f8a407d25902c067a13a8718dd2

memory/1556-332-0x0000000007CC0000-0x0000000007CD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 adaa984e8ab89558dd83063589addcf8
SHA1 83f39be35633fb47ebb23b2234d6617f4ca45643
SHA256 029676fc93658c40002b5fc36da91b7a4a6052a4f43c9f414d20216c7059eff6
SHA512 e3b5eefbd05acbf18718639142f054088e808726cd9e29f2d1e61b7ef425df8bc43a02f327d765f21103c0d644ee704bde31fd4a2bb8257ee1ceecb40f269c97

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d7c9ea4f829258c4313b8687515936ff
SHA1 df081a246c388dc41dd700188147fd8eee1049b3
SHA256 d0359fc29bdf76317ac950857dc1df9ba27bfcbecac09863443f8ac102cad1a3
SHA512 ec781c7e7aba279a8452abe317ebd7a15243c2c54bf98d72f2d34e70ae146fed3f1f0a993058b773dc32bcbc3ab8a900fc315834d91bd178332cca7603020b3b

memory/1556-357-0x0000000007C50000-0x0000000007C5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8E8S8.tmp\is-Q41MU.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

memory/564-361-0x00007FFD1DEC0000-0x00007FFD1E981000-memory.dmp

memory/3004-362-0x0000000074050000-0x0000000074800000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-OOCPC.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

memory/236-378-0x0000000074050000-0x0000000074800000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-OOCPC.tmp\_isetup\_isdecmp.dll

MD5 b4786eb1e1a93633ad1b4c112514c893
SHA1 734750b771d0809c88508e4feb788d7701e6dada
SHA256 2ae4169f721beb389a661e6dbb18bc84ef38556af1f46807da9d87aec2a6f06f
SHA512 0882d2aa163ece22796f837111db0d55158098035005e57cd2e9b8d59dc2e582207840bf98bee534b81c368acf60ab5d8ecbe762209273bda067a215cdb2c0c6

memory/564-380-0x0000000002F60000-0x0000000002F70000-memory.dmp

memory/4236-381-0x0000000000710000-0x0000000000711000-memory.dmp

memory/3004-379-0x0000000007670000-0x0000000007680000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-OOCPC.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 699e3636ed7444d9b47772e4446ccfc1
SHA1 db0459ca6ceeea2e87e0023a6b7ee06aeed6fded
SHA256 9205233792628ecf0d174de470b2986abf3adfed702330dc54c4a76c9477949a
SHA512 d5d4c08b6aec0f3e3506e725decc1bdf0b2e2fb50703c36d568c1ea3c3ab70720f5aec9d49ad824505731eb64db399768037c9f1be655779ed77331a7bab1d51

C:\Users\Admin\AppData\Local\Temp\is-8E8S8.tmp\is-Q41MU.tmp

MD5 2fba5642cbcaa6857c3995ccb5d2ee2a
SHA1 91fe8cd860cba7551fbf78bc77cc34e34956e8cc
SHA256 ddec51f3741f3988b9cc792f6f8fc0dfa2098ef0eb84c6a2af7f8da5a72b40fa
SHA512 30613b43427d17115134798506f197c0f5f8b2b9f247668fa25b9dd4853bbd97ac1e27f4e3325dec4f6dfc0e448ebbddb2969ad1a1781aa59ebf522d436aed7c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a6b2cdf507c0d0f6219396bb372dd0ec
SHA1 d9884639d00f7d12dc8e2a5e47064328238d2685
SHA256 b45d030dce2a580524a0767966f1ed5996573e71c468167b53ebdee7e3c096fb
SHA512 e6553e239da5ff5193153f54e3dd4fbb56cbd9bab01280717429a69b4795aaaca4b4752ffde74320b61d4ca370c8508da0eef6eb52c0193ea7f3da430a96763f

memory/564-335-0x0000000000FA0000-0x0000000000FA8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos.exe

MD5 076ab7d1cc5150a5e9f8745cc5f5fb6c
SHA1 7b40783a27a38106e2cc91414f2bc4d8b484c578
SHA256 d1b71081d7ba414b589338329f278ba51c6ccf542d74f131f96c2337ee0a4c90
SHA512 75e274a654e88feb0d66156f387bc5e420811f4f62939396a7455d12e835d7e134b2579ab59976c591b416d1ec1acdf05e9eb290c8f01383c6a50bf43854420b

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/904-394-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/904-399-0x0000000000400000-0x00000000005F1000-memory.dmp

C:\ProgramData\ContentDVSvc\ContentDVSvc.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/1556-400-0x00000000087A0000-0x0000000008806000-memory.dmp

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

C:\Program Files (x86)\PA Previewer\previewer.exe

MD5 27b85a95804a760da4dbee7ca800c9b4
SHA1 f03136226bf3dd38ba0aa3aad1127ccab380197c
SHA256 f98b98404ecf3871a10a290ade21ad77d0b2633f47247debc53d094b9bdff245
SHA512 e760a15370272aa9541f1afceaaf4f5a8068dad21c6a8d50ebd01514e16bbc8f867c8af349080f3d1fa7a19eafe7cde74921d01716dea69ef801da1b74eae4a7

memory/4648-403-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/904-395-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/208-404-0x00007FFD1DEC0000-0x00007FFD1E981000-memory.dmp

memory/1556-408-0x0000000074050000-0x0000000074800000-memory.dmp

memory/208-409-0x0000025C50480000-0x0000025C50490000-memory.dmp

memory/208-416-0x0000025C50480000-0x0000025C50490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 ec6aae2bb7d8781226ea61adca8f0586
SHA1 d82b3bad240f263c1b887c7c0cc4c2ff0e86dfe3
SHA256 b02fffaba9e664ff7840c82b102d6851ec0bb148cec462cef40999545309e599
SHA512 aa62a8cd02a03e4f462f76ae6ff2e43849052ce77cca3a2ccf593f6669425830d0910afac3cf2c46dd385454a6fb3b4bd604ae13b9586087d6f22de644f9dfc7

memory/5048-417-0x0000000003030000-0x0000000003161000-memory.dmp

memory/5048-419-0x0000000002EB0000-0x0000000003021000-memory.dmp

memory/4648-420-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/344-421-0x0000000000400000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a6b2cdf507c0d0f6219396bb372dd0ec
SHA1 d9884639d00f7d12dc8e2a5e47064328238d2685
SHA256 b45d030dce2a580524a0767966f1ed5996573e71c468167b53ebdee7e3c096fb
SHA512 e6553e239da5ff5193153f54e3dd4fbb56cbd9bab01280717429a69b4795aaaca4b4752ffde74320b61d4ca370c8508da0eef6eb52c0193ea7f3da430a96763f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16c2a9f4b2e1386aab0e353614a63f0d
SHA1 6edd3be593b653857e579cbd3db7aa7e1df3e30f
SHA256 0f7c58a653ae1f3999627721bad03793edc1e9d12e8f5253c30b61b8478f5c81
SHA512 aba1ed22c7b9ae1942d69a7cd7a618597300ae5c56be88187ddec6227df056f81c1d9217778d87fa8c36402bce7275d707118ff62d3a241297738da434556e06

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 29f494359b766a9c4d32063cab6734a1
SHA1 e34448988821564580aa9e23c9df3d5b0dfe9b60
SHA256 13192fed5d8f11e6ec9a1da0fcd4ff33d97995aac574f21f8c87c4c4a16748e5
SHA512 0ba5429a31795e90a4a710fa0138691a86d9ea4bd0e9348bf1c3b5ee6c1bd111407fd6bf6d25e555a0b8004991af0291eec839410c3634eb83137f5ceb41c342

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 b0ced22768369663e3de0086b70f2178
SHA1 58a29ef63cbc73207abf4849e431e6faa138a118
SHA256 dcf40f0933c8eb57bd12ea2c11c05b4357c6a74c66a018c3cd223920e0f45ef3
SHA512 90569c915c86ffb4ca1e7731ef4ba1bc96eb603a1304a0ec53bb9d33b2eba8a52fd50e1dd1bbc716c9a4cc2c4c1a775212f28df5dc60c7d4587d2420480bf54f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ec83ab879b079045ff3937639f5daf03
SHA1 eaa7f34ec88ba09ddf7c3799f5d07a2e70395853
SHA256 ad092048c08b42a98dccc4f364172ad6d3c9a20e75551f7a9461d33036d95651
SHA512 63bd58741c31031e842e7faea196d972e3603736dde90967a459259176a498af532ec7e7e92b5b2fef9909d2c0e9fbe554444fce70833a5a4b8eab40a76495e6

memory/208-496-0x0000025C50480000-0x0000025C50490000-memory.dmp

memory/1556-477-0x0000000007CC0000-0x0000000007CD0000-memory.dmp

memory/3004-505-0x0000000074050000-0x0000000074800000-memory.dmp

memory/564-506-0x00007FFD1DEC0000-0x00007FFD1E981000-memory.dmp

memory/3780-507-0x0000000000480000-0x0000000000495000-memory.dmp

memory/3780-510-0x00000000004A0000-0x00000000004A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 f0ba7739cc07608c54312e79abaf9ece
SHA1 38b075b2e04bc8eee78b89766c1cede5ad889a7e
SHA256 9e96d77f013c6ca17f641c947be11a1bb8921937ed79ec98c4b49ef4c641ae5f
SHA512 15da0554fdd9fb80325883344349b3b4d7b5a612c13eecb810c488621f805ab59c159a54c526ae92f1b81064949bf408f9f2ad07a4c8eda424b2a8f89ea6e165

memory/5704-511-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 dc5e17c3690fdcc7fd3b93a9d49cd3d2
SHA1 a06def6fe07badcf9bca5f9f16d7fee4ff633286
SHA256 4e9c4ae2b6d87a784838aaed06299836202eaad32fe800abc2054d54b8156d3b
SHA512 5a705d981004d003db944808d15c37ec8cac2c274cbc4959d8e9c4b8dc6af48b75f3b69571b8791e7ee83d638f396ad35ee331c54dbd08019c96bc0fe581be2e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58f112.TMP

MD5 e2a878328d6ecac08e0c191237106b92
SHA1 20c60f9dc9ed36b3867aa4ec25d3b20b00fb9bd0
SHA256 fbc7e70514ddb594e9a47cfa113501daf4cfb57f5e0a820ca9684201ff1be669
SHA512 9359b3070f9d13f9f6c6969f95e6f713b0a3a668579034154dc20db81964cb37d86d8c5d0028b2b4cfa77407431a0a60026ad20132c2fdf7e3c37f5e34090dcd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 1c21f2aecebfc0a49f7e8c86bc29a28f
SHA1 2bec7eef6e93e57ab4ee6cd0dc44d239dcc8e314
SHA256 9661b3713a2c76990481965206ee2c9888c097780f3d520ba7a9004069525140
SHA512 cc433d325ddff9bf02f29dd536d9b7d58a7924e9fe1f999ee65ad3ae3644a206f33cc83fdc9178e777c2fd7677761cdb2e14ed69202f6faaa8711d198f937755

memory/4236-565-0x0000000000400000-0x00000000004B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_adokdphp.zba.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3196-599-0x0000000002CC0000-0x0000000002CD6000-memory.dmp

memory/5704-600-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4600-632-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/3916-633-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/3916-636-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/3916-638-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/3916-639-0x00000171BD9B0000-0x00000171BD9D0000-memory.dmp

memory/3916-641-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/3916-642-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/3916-643-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/3916-644-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/3916-645-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/4648-647-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/4648-652-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/4648-654-0x0000000000400000-0x00000000005F1000-memory.dmp

memory/3916-658-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/3916-659-0x0000000140000000-0x00000001407CF000-memory.dmp

memory/4648-662-0x0000000000400000-0x00000000005F1000-memory.dmp