Malware Analysis Report

2025-08-10 23:43

Sample ID 231012-rwf4dsea5y
Target 200c7f279ff023f7a5930c9668582d2c5adeef60256f8e43147c54816d16cffe
SHA256 200c7f279ff023f7a5930c9668582d2c5adeef60256f8e43147c54816d16cffe
Tags
amadey dcrat healer redline sectoprat smokeloader @ytlogsbot breha kukish pixelscloud backdoor microsoft discovery dropper evasion infostealer persistence phishing rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

200c7f279ff023f7a5930c9668582d2c5adeef60256f8e43147c54816d16cffe

Threat Level: Known bad

The file 200c7f279ff023f7a5930c9668582d2c5adeef60256f8e43147c54816d16cffe was found to be: Known bad.

Malicious Activity Summary

amadey dcrat healer redline sectoprat smokeloader @ytlogsbot breha kukish pixelscloud backdoor microsoft discovery dropper evasion infostealer persistence phishing rat spyware stealer trojan

SectopRAT

DcRat

Healer

RedLine

Amadey

SmokeLoader

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine payload

SectopRAT payload

Downloads MZ/PE file

Uses the VBS compiler for execution

Executes dropped EXE

Windows security modification

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Detected potential entity reuse from brand microsoft.

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-12 14:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-12 14:32

Reported

2023-10-12 14:35

Platform

win10v2004-20230915-en

Max time kernel

157s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\200c7f279ff023f7a5930c9668582d2c5adeef60256f8e43147c54816d16cffe.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\9EEF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\9EEF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\9EEF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\9EEF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\9EEF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\9EEF.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\A1AF.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\A411.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\9EEF.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IB3Rb6ry.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Lz1zq4lJ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eT0Hq5nC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hy7hk9xD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\92A6.exe N/A

Checks installed software on the system

discovery

Detected potential entity reuse from brand microsoft.

phishing microsoft

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9EEF.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A411.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 232 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\200c7f279ff023f7a5930c9668582d2c5adeef60256f8e43147c54816d16cffe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 232 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\200c7f279ff023f7a5930c9668582d2c5adeef60256f8e43147c54816d16cffe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 232 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\200c7f279ff023f7a5930c9668582d2c5adeef60256f8e43147c54816d16cffe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 232 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\200c7f279ff023f7a5930c9668582d2c5adeef60256f8e43147c54816d16cffe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 232 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\200c7f279ff023f7a5930c9668582d2c5adeef60256f8e43147c54816d16cffe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 232 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\200c7f279ff023f7a5930c9668582d2c5adeef60256f8e43147c54816d16cffe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3180 wrote to memory of 1640 N/A N/A C:\Users\Admin\AppData\Local\Temp\92A6.exe
PID 3180 wrote to memory of 1640 N/A N/A C:\Users\Admin\AppData\Local\Temp\92A6.exe
PID 3180 wrote to memory of 1640 N/A N/A C:\Users\Admin\AppData\Local\Temp\92A6.exe
PID 3180 wrote to memory of 496 N/A N/A C:\Users\Admin\AppData\Local\Temp\9660.exe
PID 3180 wrote to memory of 496 N/A N/A C:\Users\Admin\AppData\Local\Temp\9660.exe
PID 3180 wrote to memory of 496 N/A N/A C:\Users\Admin\AppData\Local\Temp\9660.exe
PID 3180 wrote to memory of 4696 N/A N/A C:\Windows\system32\cmd.exe
PID 3180 wrote to memory of 4696 N/A N/A C:\Windows\system32\cmd.exe
PID 3180 wrote to memory of 4212 N/A N/A C:\Users\Admin\AppData\Local\Temp\9C8C.exe
PID 3180 wrote to memory of 4212 N/A N/A C:\Users\Admin\AppData\Local\Temp\9C8C.exe
PID 3180 wrote to memory of 4212 N/A N/A C:\Users\Admin\AppData\Local\Temp\9C8C.exe
PID 3180 wrote to memory of 2588 N/A N/A C:\Users\Admin\AppData\Local\Temp\9EEF.exe
PID 3180 wrote to memory of 2588 N/A N/A C:\Users\Admin\AppData\Local\Temp\9EEF.exe
PID 3180 wrote to memory of 4168 N/A N/A C:\Users\Admin\AppData\Local\Temp\A1AF.exe
PID 3180 wrote to memory of 4168 N/A N/A C:\Users\Admin\AppData\Local\Temp\A1AF.exe
PID 3180 wrote to memory of 4168 N/A N/A C:\Users\Admin\AppData\Local\Temp\A1AF.exe
PID 4696 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4696 wrote to memory of 2444 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3180 wrote to memory of 2636 N/A N/A C:\Users\Admin\AppData\Local\Temp\A411.exe
PID 3180 wrote to memory of 2636 N/A N/A C:\Users\Admin\AppData\Local\Temp\A411.exe
PID 3180 wrote to memory of 2636 N/A N/A C:\Users\Admin\AppData\Local\Temp\A411.exe
PID 3180 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\A7BC.exe
PID 3180 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\A7BC.exe
PID 3180 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\A7BC.exe
PID 1640 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\92A6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IB3Rb6ry.exe
PID 1640 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\92A6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IB3Rb6ry.exe
PID 1640 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\92A6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IB3Rb6ry.exe
PID 3180 wrote to memory of 4240 N/A N/A C:\Users\Admin\AppData\Local\Temp\A9DF.exe
PID 3180 wrote to memory of 4240 N/A N/A C:\Users\Admin\AppData\Local\Temp\A9DF.exe
PID 3180 wrote to memory of 4240 N/A N/A C:\Users\Admin\AppData\Local\Temp\A9DF.exe
PID 3368 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IB3Rb6ry.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Lz1zq4lJ.exe
PID 3368 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IB3Rb6ry.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Lz1zq4lJ.exe
PID 3368 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IB3Rb6ry.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Lz1zq4lJ.exe
PID 3180 wrote to memory of 3416 N/A N/A C:\Users\Admin\AppData\Local\Temp\AE74.exe
PID 3180 wrote to memory of 3416 N/A N/A C:\Users\Admin\AppData\Local\Temp\AE74.exe
PID 3180 wrote to memory of 3416 N/A N/A C:\Users\Admin\AppData\Local\Temp\AE74.exe
PID 4532 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Lz1zq4lJ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eT0Hq5nC.exe
PID 4532 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Lz1zq4lJ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eT0Hq5nC.exe
PID 4532 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Lz1zq4lJ.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eT0Hq5nC.exe
PID 492 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eT0Hq5nC.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hy7hk9xD.exe
PID 492 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eT0Hq5nC.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hy7hk9xD.exe
PID 492 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eT0Hq5nC.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hy7hk9xD.exe
PID 3180 wrote to memory of 1324 N/A N/A C:\Users\Admin\AppData\Local\Temp\B6D2.exe
PID 3180 wrote to memory of 1324 N/A N/A C:\Users\Admin\AppData\Local\Temp\B6D2.exe
PID 3180 wrote to memory of 1324 N/A N/A C:\Users\Admin\AppData\Local\Temp\B6D2.exe
PID 2444 wrote to memory of 4356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2444 wrote to memory of 4356 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1332 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hy7hk9xD.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ey19CG6.exe
PID 1332 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hy7hk9xD.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ey19CG6.exe
PID 1332 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hy7hk9xD.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ey19CG6.exe
PID 4696 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4696 wrote to memory of 4308 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 4468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 4468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4212 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\9C8C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4212 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\9C8C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4212 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\9C8C.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 496 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\9660.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\200c7f279ff023f7a5930c9668582d2c5adeef60256f8e43147c54816d16cffe.exe

"C:\Users\Admin\AppData\Local\Temp\200c7f279ff023f7a5930c9668582d2c5adeef60256f8e43147c54816d16cffe.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 232 -ip 232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 232 -s 240

C:\Users\Admin\AppData\Local\Temp\92A6.exe

C:\Users\Admin\AppData\Local\Temp\92A6.exe

C:\Users\Admin\AppData\Local\Temp\9660.exe

C:\Users\Admin\AppData\Local\Temp\9660.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9A78.bat" "

C:\Users\Admin\AppData\Local\Temp\9C8C.exe

C:\Users\Admin\AppData\Local\Temp\9C8C.exe

C:\Users\Admin\AppData\Local\Temp\9EEF.exe

C:\Users\Admin\AppData\Local\Temp\9EEF.exe

C:\Users\Admin\AppData\Local\Temp\A1AF.exe

C:\Users\Admin\AppData\Local\Temp\A1AF.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\A411.exe

C:\Users\Admin\AppData\Local\Temp\A411.exe

C:\Users\Admin\AppData\Local\Temp\A7BC.exe

C:\Users\Admin\AppData\Local\Temp\A7BC.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IB3Rb6ry.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IB3Rb6ry.exe

C:\Users\Admin\AppData\Local\Temp\A9DF.exe

C:\Users\Admin\AppData\Local\Temp\A9DF.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Lz1zq4lJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Lz1zq4lJ.exe

C:\Users\Admin\AppData\Local\Temp\AE74.exe

C:\Users\Admin\AppData\Local\Temp\AE74.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eT0Hq5nC.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eT0Hq5nC.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hy7hk9xD.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hy7hk9xD.exe

C:\Users\Admin\AppData\Local\Temp\B6D2.exe

C:\Users\Admin\AppData\Local\Temp\B6D2.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc777d46f8,0x7ffc777d4708,0x7ffc777d4718

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ey19CG6.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ey19CG6.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc777d46f8,0x7ffc777d4708,0x7ffc777d4718

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4212 -ip 4212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 496 -ip 496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\BBA5.exe

C:\Users\Admin\AppData\Local\Temp\BBA5.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 236

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,17661055192244840132,14227015832309823301,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,17661055192244840132,14227015832309823301,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,17661055192244840132,14227015832309823301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17661055192244840132,14227015832309823301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17661055192244840132,14227015832309823301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,9135375369658476539,5227702958526375119,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,9135375369658476539,5227702958526375119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17661055192244840132,14227015832309823301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17661055192244840132,14227015832309823301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2000 -ip 2000

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3376 -ip 3376

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3376 -s 540

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Se542AZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Se542AZ.exe

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=A7BC.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=B6D2.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc777d46f8,0x7ffc777d4708,0x7ffc777d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc777d46f8,0x7ffc777d4708,0x7ffc777d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17661055192244840132,14227015832309823301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17661055192244840132,14227015832309823301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17661055192244840132,14227015832309823301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17661055192244840132,14227015832309823301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=A7BC.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc777d46f8,0x7ffc777d4708,0x7ffc777d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17661055192244840132,14227015832309823301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17661055192244840132,14227015832309823301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:1

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17661055192244840132,14227015832309823301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17661055192244840132,14227015832309823301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7160 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=B6D2.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc777d46f8,0x7ffc777d4708,0x7ffc777d4718

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,17661055192244840132,14227015832309823301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6148 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,17661055192244840132,14227015832309823301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6148 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17661055192244840132,14227015832309823301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17661055192244840132,14227015832309823301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17661055192244840132,14227015832309823301,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,17661055192244840132,14227015832309823301,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2488 /prefetch:1

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 126.20.238.8.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
GB 157.240.221.16:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
GB 157.240.221.35:443 facebook.com tcp
US 8.8.8.8:53 16.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
GB 157.240.221.35:443 fbcdn.net tcp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 98.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.67:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 mscom.demdex.net udp
IE 52.210.141.111:443 mscom.demdex.net tcp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
US 8.8.8.8:53 target.microsoft.com udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 111.141.210.52.in-addr.arpa udp
IT 185.196.9.65:80 tcp
TR 185.216.70.238:37515 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 65.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 238.70.216.185.in-addr.arpa udp
NL 85.209.176.171:80 85.209.176.171 tcp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 171.176.209.85.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 20.189.173.5:443 browser.events.data.microsoft.com tcp
US 20.189.173.5:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/5088-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5088-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5088-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5088-5-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3180-3-0x00000000011F0000-0x0000000001206000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\92A6.exe

MD5 fc275785e519d147762461e81b822fb5
SHA1 7e93329ffca55a4629981ca8c5fbf188f0f6ec00
SHA256 c1093917b7e4322484887c92f2de158e0e8c704f4d20ad6812b565e1168aa470
SHA512 2f97914349fbedb47658d271673770c95529aa11be7c2240f229efe1fedd4fb04c25fe0fb0d1f768584e1abc0f74b17b7c3903acc0752a4944ab66c3d6d41d56

C:\Users\Admin\AppData\Local\Temp\92A6.exe

MD5 fc275785e519d147762461e81b822fb5
SHA1 7e93329ffca55a4629981ca8c5fbf188f0f6ec00
SHA256 c1093917b7e4322484887c92f2de158e0e8c704f4d20ad6812b565e1168aa470
SHA512 2f97914349fbedb47658d271673770c95529aa11be7c2240f229efe1fedd4fb04c25fe0fb0d1f768584e1abc0f74b17b7c3903acc0752a4944ab66c3d6d41d56

C:\Users\Admin\AppData\Local\Temp\9660.exe

MD5 4ff3c1b46f85564cfcb9352d1ed9ab39
SHA1 a26b99f9dfa9b2293a9c4beef9cf1e3abee68a26
SHA256 b9d208c95c2320bd61e20fbadaa3100d74036d920792ab4bbb677d017d2696d8
SHA512 aba7c5a38996f02d1fd12f2d535ceae5ad2df3651a25333815fbe5fcf4b28d02b11b01f0dee81550cd94bb252580bcd6fba5b3572a82efae71dbcc810ec46b8c

C:\Users\Admin\AppData\Local\Temp\9660.exe

MD5 4ff3c1b46f85564cfcb9352d1ed9ab39
SHA1 a26b99f9dfa9b2293a9c4beef9cf1e3abee68a26
SHA256 b9d208c95c2320bd61e20fbadaa3100d74036d920792ab4bbb677d017d2696d8
SHA512 aba7c5a38996f02d1fd12f2d535ceae5ad2df3651a25333815fbe5fcf4b28d02b11b01f0dee81550cd94bb252580bcd6fba5b3572a82efae71dbcc810ec46b8c

C:\Users\Admin\AppData\Local\Temp\9A78.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\9C8C.exe

MD5 d1cb50074377a92a6a06b7b61bc87dd4
SHA1 da3eae614e37124b0b107593b267a8fbfe075188
SHA256 2593743f8dfa75ab436b3950eb63e22366ce97e1c12b1360890c1b479e88f58f
SHA512 4c30904c34d764b2e9dde7b3263d57cfc9724ad776e47d2dadd54b6afdeec023893d6244762bc42db5c0283b1c130cc32af169585b76cb1539eb44fcd9e309bb

C:\Users\Admin\AppData\Local\Temp\9C8C.exe

MD5 d1cb50074377a92a6a06b7b61bc87dd4
SHA1 da3eae614e37124b0b107593b267a8fbfe075188
SHA256 2593743f8dfa75ab436b3950eb63e22366ce97e1c12b1360890c1b479e88f58f
SHA512 4c30904c34d764b2e9dde7b3263d57cfc9724ad776e47d2dadd54b6afdeec023893d6244762bc42db5c0283b1c130cc32af169585b76cb1539eb44fcd9e309bb

C:\Users\Admin\AppData\Local\Temp\9EEF.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

C:\Users\Admin\AppData\Local\Temp\9EEF.exe

MD5 57543bf9a439bf01773d3d508a221fda
SHA1 5728a0b9f1856aa5183d15ba00774428be720c35
SHA256 70d2e4df54793d08b8e76f1bb1db26721e0398da94dca629ab77bd41cc27fd4e
SHA512 28f2eb1fef817df513568831ca550564d490f7bd6c46ada8e06b2cd81bbc59bc2d7b9f955dbfc31c6a41237d0d0f8aa40aaac7ae2fabf9902228f6b669b7fe20

memory/2588-30-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A1AF.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\A1AF.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\A411.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\A411.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\A7BC.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IB3Rb6ry.exe

MD5 e680b5790a1e86900d0f54c76170bc02
SHA1 84ee7b75dd3dbcaefa29fba8eeaf92f465d2e8b7
SHA256 697363e58c000bb8c7536a95bd862971a32351c58bd4ee00b5fb5449ea4b7aa4
SHA512 29f27d662b3d29ff9dbbaed78246bf31fc608c81896d842441b712e0bca2e1a7fcfe0630cd60187bd17d2afdccab6ddbd609b3d268a830fdef4cd22739f14d12

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IB3Rb6ry.exe

MD5 e680b5790a1e86900d0f54c76170bc02
SHA1 84ee7b75dd3dbcaefa29fba8eeaf92f465d2e8b7
SHA256 697363e58c000bb8c7536a95bd862971a32351c58bd4ee00b5fb5449ea4b7aa4
SHA512 29f27d662b3d29ff9dbbaed78246bf31fc608c81896d842441b712e0bca2e1a7fcfe0630cd60187bd17d2afdccab6ddbd609b3d268a830fdef4cd22739f14d12

memory/2588-55-0x00007FFC79A70000-0x00007FFC7A531000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A9DF.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

C:\Users\Admin\AppData\Local\Temp\A7BC.exe

MD5 37e45af2d4bf5e9166d4db98dcc4a2be
SHA1 9e08985f441deb096303d11e26f8d80a23de0751
SHA256 194475450c4a476569c4e00d985454eff049435fa95da39b44308a244e7b8bca
SHA512 720bfc951f8661b8a9124b70e3d02815b91058c30fd712d7733f214b9383c7f8a344c2d2bf5ff88bec68cc751753d48bab37cc3908c790980bd01aa142904a9c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Lz1zq4lJ.exe

MD5 6492767cb0f3e03503366b0689c4908b
SHA1 aa1880eb68816b542efdd70d7936c470a321c6b9
SHA256 48e5b103af408db54e7ce5a2ed9a06db75d825d06f0919d5ffcf51c9dd6cd362
SHA512 de304e61fbe35665acf78527e57759f09f4101076a4f572506cd87398b96aa0dc46692e2ac0122772db7a46a8f3d748256497efce9d3a7c8a905eca1b3b4f48b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Lz1zq4lJ.exe

MD5 6492767cb0f3e03503366b0689c4908b
SHA1 aa1880eb68816b542efdd70d7936c470a321c6b9
SHA256 48e5b103af408db54e7ce5a2ed9a06db75d825d06f0919d5ffcf51c9dd6cd362
SHA512 de304e61fbe35665acf78527e57759f09f4101076a4f572506cd87398b96aa0dc46692e2ac0122772db7a46a8f3d748256497efce9d3a7c8a905eca1b3b4f48b

C:\Users\Admin\AppData\Local\Temp\AE74.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

memory/3416-70-0x0000000000330000-0x0000000000488000-memory.dmp

memory/1996-71-0x0000000000400000-0x000000000046F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AE74.exe

MD5 4f1e10667a027972d9546e333b867160
SHA1 7cb4d6b066736bb8af37ed769d41c0d4d1d5d035
SHA256 b0fa49565e226cabfd938256f49fac8b3372f73d6f275513d3a4cad5a911be9c
SHA512 c7d6bf074c7f4b57c766a979ad688e50a007f2d89cc149da96549f51ba0f9dc70d37555d501140c14124f1dec07d9e86a9dfff1d045fcce3e2312b741a08dd6b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eT0Hq5nC.exe

MD5 7910b59ad86f4f3c47eefb4fd0a966a3
SHA1 f5301f13773b0a2fb9f547ac1cbe925c42f517eb
SHA256 4b3b2b5e89fe623a4781ef199a3fe0f6cc45fe69c2d3db9a9910d4fb88577d00
SHA512 2c1738dd416f77b7ed18f9dedee7edba97a8b7cca824521e8b3ff65f4cbb869ea1c4ef90c63c61baf19f36215683fd731cfdd98b9706df65d5578a767c44c153

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eT0Hq5nC.exe

MD5 7910b59ad86f4f3c47eefb4fd0a966a3
SHA1 f5301f13773b0a2fb9f547ac1cbe925c42f517eb
SHA256 4b3b2b5e89fe623a4781ef199a3fe0f6cc45fe69c2d3db9a9910d4fb88577d00
SHA512 2c1738dd416f77b7ed18f9dedee7edba97a8b7cca824521e8b3ff65f4cbb869ea1c4ef90c63c61baf19f36215683fd731cfdd98b9706df65d5578a767c44c153

C:\Users\Admin\AppData\Local\Temp\A9DF.exe

MD5 1199c88022b133b321ed8e9c5f4e6739
SHA1 8e5668edc9b4e1f15c936e68b59c84e165c9cb07
SHA256 e6bd7a442e04eba451aa1f63819533b086c5a60fd9fa7506fa838515184e1836
SHA512 7aa8c3ed3a2985bb8a62557fd347d1c90790cd3f5e3b0b70c221b28cb17a0c163b8b1bac45bc014148e08105232e9abef33408a4d648ddc5362795e5669e3697

memory/1996-76-0x00000000005E0000-0x000000000063A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B6D2.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hy7hk9xD.exe

MD5 e670c3e4c372e0828bdaf328a96923bf
SHA1 325a125924e3324f35f9f59a4429fdd02a5bfbc2
SHA256 c6be53d00cb7549b541cdf24cd27db9b4b1fece244095fd84108b065d30f0c1e
SHA512 e70d7ad9ed4f230d8571ecaa3ee34614bd56ac3b081a0d72c1f69e87a4b91eb8d29c3d453e46964d531985b2d25f55030674abf2d7a5f126297210e2285ce6f5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\hy7hk9xD.exe

MD5 e670c3e4c372e0828bdaf328a96923bf
SHA1 325a125924e3324f35f9f59a4429fdd02a5bfbc2
SHA256 c6be53d00cb7549b541cdf24cd27db9b4b1fece244095fd84108b065d30f0c1e
SHA512 e70d7ad9ed4f230d8571ecaa3ee34614bd56ac3b081a0d72c1f69e87a4b91eb8d29c3d453e46964d531985b2d25f55030674abf2d7a5f126297210e2285ce6f5

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ey19CG6.exe

MD5 19267b39bb0f7beb1e5007690f3028c0
SHA1 7b6688151b2652c0480f36cdb5c2cdc89ad874d8
SHA256 cac1766a6e189c3424f0b4c1f5677e518e1d315f11c36ef943e3bbf6dfa805a3
SHA512 7d5dadb747154828b2e13bf40676c4e48578e02dc32c15476191ce19092bfb781271ce5c9747435c7823b7088b8a9d703c11c44966100579c811f9243700ba52

C:\Users\Admin\AppData\Local\Temp\B6D2.exe

MD5 08b8fd5a5008b2db36629b9b88603964
SHA1 c5d0ea951b4c2db9bfd07187343beeefa7eab6ab
SHA256 e60438254142b8180dd0c4bc9506235540b8f994b5d8ecae2528dc69f45bc3a3
SHA512 033a651fabcfbc50d5b189bfe6be048469eae6fef3d8903ac1a1e7f6c744b5643d92954ae1250b3383a91e6a8b19dfe0391d89f4f57766c6bd61be666f8f6653

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1ey19CG6.exe

MD5 19267b39bb0f7beb1e5007690f3028c0
SHA1 7b6688151b2652c0480f36cdb5c2cdc89ad874d8
SHA256 cac1766a6e189c3424f0b4c1f5677e518e1d315f11c36ef943e3bbf6dfa805a3
SHA512 7d5dadb747154828b2e13bf40676c4e48578e02dc32c15476191ce19092bfb781271ce5c9747435c7823b7088b8a9d703c11c44966100579c811f9243700ba52

memory/1324-101-0x0000000000500000-0x000000000055A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 451fddf78747a5a4ebf64cabb4ac94e7
SHA1 6925bd970418494447d800e213bfd85368ac8dc9
SHA256 64d12f59d409aa1b03f0b2924e0b2419b65c231de9e04fce15cc3a76e1b9894d
SHA512 edb85a2a94c207815360820731d55f6b4710161551c74008df0c2ae10596e1886c8a9e11d43ddf121878ae35ac9f06fc66b4c325b01ed4e7bf4d3841b27e0864

memory/2588-108-0x00007FFC79A70000-0x00007FFC7A531000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

memory/3416-113-0x0000000000330000-0x0000000000488000-memory.dmp

memory/1324-114-0x0000000000400000-0x000000000046F000-memory.dmp

memory/2052-116-0x0000000000400000-0x0000000000433000-memory.dmp

memory/376-119-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2052-121-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2052-120-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BBA5.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

C:\Users\Admin\AppData\Local\Temp\BBA5.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/2052-122-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

\??\pipe\LOCAL\crashpad_4308_MPAUVQUVYGLZHXBD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3152-129-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3416-139-0x0000000000330000-0x0000000000488000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 787cb6254f2ce5487b44394f404295ae
SHA1 28ff1de0e6fbc9eeef9d0187fdff5c9ae86a1ab1
SHA256 3149f5d5f314c8767d67e6d6b1a0d94ef26c775878670c8743d33c7593be973b
SHA512 d344475533af85558cd442bfc5415993340aa586333f1e55523d9aa59ffd8fd349a2186b8c49472d5db66b2db2af83395ce45ea6e0c7aaf8e08707af11ffcb72

memory/2052-154-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

\??\pipe\LOCAL\crashpad_2444_OMQECKFIZPMYITCS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\0356f9f7-5c60-42a0-8a4e-8f22184da656.tmp

MD5 391a3715bb9f38a56524f373cb7a5ee1
SHA1 468e0cbdec2d43e26d56a1254af63239707763b0
SHA256 20bfb084f578e051f8bcdc060702d846b1faa9f6dcec870af7e28c962a1a553e
SHA512 ae30c2abf4532ca0d49251001f31ffe6f46c24176a549c21a7bb7ca6b4ab55f01944cf33d5bcc3439807893aaa03926c58a0cab1e83dacbf9c3305aad3ba0e54

memory/3376-166-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3376-172-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3376-175-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 391a3715bb9f38a56524f373cb7a5ee1
SHA1 468e0cbdec2d43e26d56a1254af63239707763b0
SHA256 20bfb084f578e051f8bcdc060702d846b1faa9f6dcec870af7e28c962a1a553e
SHA512 ae30c2abf4532ca0d49251001f31ffe6f46c24176a549c21a7bb7ca6b4ab55f01944cf33d5bcc3439807893aaa03926c58a0cab1e83dacbf9c3305aad3ba0e54

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\d1867e56-9f1b-41c9-b262-92f94c77ee56.tmp

MD5 95b973140a96c9087a366af515c35d25
SHA1 842a0d65f026e5d8863264dcb83ae95e3f4cac00
SHA256 8bd5a048d9700f8b0e94fae670546811bc7a88197461d6ad7a2f35d60395ef31
SHA512 e7e3bf0af6b4ac1f5d8311a40d08b87de1be05c907f46a7dd30e13e21aea754be714d7fcb9eb5d475bf05e1b0fee03011a3fbab17374ad67a7bb94014e112c9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e0c01f01def69f866ead00838e9ba2ef
SHA1 6bbed6f9cade424e15aba0667387ecaf55d0250f
SHA256 1ce5ea2207bc4ed7df95f680996bb7fb4499b2fe9fd79fecebc5b45d4281d11c
SHA512 4fc4839520456d21a1c2056b068d8ac71cbd559619807610f58bc2bb4f26848f79fbf81ddcf230649ba873ce9c683ade0693620f7232f738b77d945bca1ee54e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d985875547ce8936a14b00d1e571365f
SHA1 040d8e5bd318357941fca03b49f66a1470824cb3
SHA256 8455a012296a7f4b10ade39e1300cda1b04fd0fc1832ffc043e66f48c6aecfbf
SHA512 ca31d3d6c44d52a1f817731da2e7ac98402cd19eeb4b48906950a2f22f961c8b1f665c3eaa62bf73cd44eb94ea377f7e2ceff9ef682a543771344dab9dbf5a38

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/3832-220-0x0000000000780000-0x00000000007DA000-memory.dmp

memory/4240-221-0x0000000000B60000-0x0000000000B7E000-memory.dmp

memory/3832-224-0x0000000073030000-0x00000000737E0000-memory.dmp

memory/3152-225-0x0000000073030000-0x00000000737E0000-memory.dmp

memory/376-226-0x0000000073030000-0x00000000737E0000-memory.dmp

memory/4240-227-0x0000000073030000-0x00000000737E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Se542AZ.exe

MD5 673f1a9a2840fd09fbb58a2a98a0bf9b
SHA1 53524fcd7c87d0afe805b6a3c4ef4d0372d302aa
SHA256 7daa019b3cfa961b581402c809b976f5af41a2ea57c94e933b8f24e46daaf97b
SHA512 bc42de316a678e84069a09078da9ffb093f3c330e5f2fcaf3e991153d26426f54b1931f5187aa4792e5b61f071ce76050c8314d7ee37c0e9584caecbaa70face

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Se542AZ.exe

MD5 673f1a9a2840fd09fbb58a2a98a0bf9b
SHA1 53524fcd7c87d0afe805b6a3c4ef4d0372d302aa
SHA256 7daa019b3cfa961b581402c809b976f5af41a2ea57c94e933b8f24e46daaf97b
SHA512 bc42de316a678e84069a09078da9ffb093f3c330e5f2fcaf3e991153d26426f54b1931f5187aa4792e5b61f071ce76050c8314d7ee37c0e9584caecbaa70face

memory/3744-231-0x0000000073030000-0x00000000737E0000-memory.dmp

memory/3832-232-0x0000000007C40000-0x00000000081E4000-memory.dmp

memory/3744-233-0x0000000000170000-0x00000000001AE000-memory.dmp

memory/3832-234-0x0000000007730000-0x00000000077C2000-memory.dmp

memory/4240-235-0x0000000005B10000-0x0000000006128000-memory.dmp

memory/4240-236-0x0000000005530000-0x0000000005542000-memory.dmp

memory/4240-237-0x0000000005590000-0x00000000055CC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/376-276-0x0000000007FE0000-0x0000000007FF0000-memory.dmp

memory/3744-278-0x0000000006EF0000-0x0000000006F00000-memory.dmp

memory/3832-277-0x0000000007700000-0x0000000007710000-memory.dmp

memory/3152-279-0x0000000007970000-0x0000000007980000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/3832-284-0x0000000073030000-0x00000000737E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/3152-293-0x0000000073030000-0x00000000737E0000-memory.dmp

memory/376-303-0x0000000073030000-0x00000000737E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 894669c8d972c1460805359fa405db22
SHA1 0c35b7a171dd66c7de6b39e3c33e0e4dad064f42
SHA256 f3a2b3f7d2e93bc035daead4cd32777250da2046526a88eaba86b205676b7f98
SHA512 778e5010f817a61cf07e2327b5e01a3b63d8df8e5d23e2debf7cae8fc9385b44fdc45c9a02106d81c6104bb0f4f418b74cddf162c3d8d390c829c5d976560277

memory/4240-305-0x0000000073030000-0x00000000737E0000-memory.dmp

memory/376-304-0x0000000008010000-0x000000000801A000-memory.dmp

memory/4240-307-0x00000000055D0000-0x000000000561C000-memory.dmp

memory/3832-329-0x0000000007A60000-0x0000000007B6A000-memory.dmp

memory/3744-334-0x0000000073030000-0x00000000737E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 78e5bc5b95cf1717fc889f1871f5daf6
SHA1 65169a87dd4a0121cd84c9094d58686be468a74a
SHA256 7d2e2e4f369bcdbbe4a1d9acd299e230adc522d46e54f59e321622d80da02966
SHA512 d97bc87809e5f52cd015ced62488f738ea24a16c31d1fb836091b72112b200e304f0d8fab3ef762411b662ed60df0ca5fc24d4e98adb22b79e5e74a9292c1500

memory/3832-357-0x0000000008260000-0x00000000082C6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3d8f4eadb68a3e3d1bf2fa3006af5510
SHA1 d5d8239ec8a3bf5dadf52360350251d90d9e0142
SHA256 85a80218f4e5b578993436a6b8066b60508dd85a09579a4cb6757c2f9550d96c
SHA512 554773c4edd8456efaa23ac24970af5441e307424de3d2f41539c2cf854d57e7f725bf0c9986347fd3f2ff43efc8f69fd73c5d773bbfd504a99daca2b272a554

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

MD5 70b2a60a8cdb839f9038785dc548079a
SHA1 b4e9f530d5e349b5890fec7470bba813cfc96796
SHA256 526163ff6240f5d0db345c3089c777c14526da639a19b3787294aab40ba8f6f3
SHA512 d6fc065f91d29e946c4a32bb7cf25a1bb93a8f4a392315ff3ed3a9bc9344a4fa386220baceaf2a9ad3f808eb5e5436f3370b998ed243c1685ca49ae6d46ed724

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

MD5 e51f388b62281af5b4a9193cce419941
SHA1 364f3d737462b7fd063107fe2c580fdb9781a45a
SHA256 348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c
SHA512 1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

MD5 6bab470ce4335b3ff597eb46b09ecaef
SHA1 52243169a436d19fbcc067c8573ff51ddcf64d3c
SHA256 5fefff1474f920d59b71764ab67e078096f26e51938f9b123bea592400793324
SHA512 453dcb6ad5bf87a16d8399c5079e33933914305ff8e53b5b3325d6392c16564d88fe36195fec134ab25a11b7c7a40b7f4679f3ec981959704140f08192dc9a5c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

MD5 700ccab490f0153b910b5b6759c0ea82
SHA1 17b5b0178abcd7c2f13700e8d74c2a8c8a95792a
SHA256 9aa923557c6792b15d8a80dd842f344c0a18076d7853dd59d6fd5d51435c7876
SHA512 0fec3d9549c117a0cb619cc4b13c1c69010cafceefcca891b33f4718c8d28395e8ab46cc308fbc57268d293921b07fabaf4903239091cee04243890f2010447f

memory/376-403-0x0000000007FE0000-0x0000000007FF0000-memory.dmp

memory/3832-404-0x0000000007700000-0x0000000007710000-memory.dmp

memory/3744-405-0x0000000006EF0000-0x0000000006F00000-memory.dmp

memory/3152-406-0x0000000007970000-0x0000000007980000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e36e7d81d5834fe5316dbd1a5bf48622
SHA1 fd42401c9e0fb5b007e79e5408d33d2177968861
SHA256 8ff6e745382859b51ed7ef43d3d44f8247c2b181a21a30d949e2b398d348ae2b
SHA512 617ba4c7a337ba25193354d56f3c18e608d968dae7086a14d484b0ffefb055346011928f19d8bdaa53acb3c331a942b4fc2364ca818fe2583c25325ddf8cfd48

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe596817.TMP

MD5 e11788fc1ad3fc0f7ff673bb5e0e482b
SHA1 a116bdece072b809216ce58d326aab978aa35740
SHA256 4e48cb57961ed35e9316988221a6737494b808a3511c80821b132562d6d94f44
SHA512 9dfa5a930b75b5bed8ebe1a1c44eae68cc2995fabf63493b8b5965e7c7871b0d2dffa538d728338ad360a8b83cce70eccfc4ae9d3bef91e20c3975070d660269

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8779a889-3804-48e9-a20a-269a6ead11c3.tmp

MD5 37f12ab8f8ef1b5398093c9e0eaabefd
SHA1 7334bbc6e4ea8bcb5eab958097dc5ae77cf19004
SHA256 245cf4adcc940510be349f1d8fc62c9f8ddb2f263da8702359c7b46de7ca905d
SHA512 ab272666cbc51fb83698d48e96aa5d3e500cc3797ad52fccc02d2ea5fea8b494f2504e5fbdb2e470e4929bf55bafeea2185595df2b95b79198b0c61860ff1a0e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

MD5 522037f008e03c9448ae0aaaf09e93cb
SHA1 8a32997eab79246beed5a37db0c92fbfb006bef2
SHA256 983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7
SHA512 643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

MD5 240c4cc15d9fd65405bb642ab81be615
SHA1 5a66783fe5dd932082f40811ae0769526874bfd3
SHA256 030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07
SHA512 267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

memory/4240-481-0x0000000006B10000-0x0000000006CD2000-memory.dmp

memory/4240-506-0x0000000007210000-0x000000000773C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

MD5 8bea29903e8332f44bd71a6dd04b6aef
SHA1 d792bc172c8d3f44dbf4f2142af2f1af4ef4857b
SHA256 54bfa7e4c1a23aff46b6f6db1c660e68a6f3d8c7d469ac6547b4f485fcf0e066
SHA512 681f29ffb7a8c571a2e5962f5cdc71e6980eae5e3754ffc7cece4d7fac31d9ef13345bc047297c46dfe557a45e4592937f01e01832cccd0cdd1a0276b23bd4fe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

MD5 34504ed4414852e907ecc19528c2a9f0
SHA1 0694ca8841b146adcaf21c84dedc1b14e0a70646
SHA256 c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810
SHA512 173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

MD5 7e2a819601bdb18df91d434ca4d95976
SHA1 94c8d876f9e835b82211d1851314c43987290654
SHA256 7da655bf7ac66562215c863212e7225e1d3485e47e4c2d3c09faac7f78999db1
SHA512 1ca1d95cc91cb06a22b8d30a970c254e334db7ff6bad255333bac2adc83c98735ec9c43bccf9c46514664d449a43d2586d38a45970338655244e754d2a87a83e

memory/3832-520-0x000000000A620000-0x000000000A696000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

MD5 9dde60482197e9ed51b9ade08935c578
SHA1 078ac9e47f455b2e1a624281e00616b0efd85204
SHA256 db4f3622f69e0c1ae867d6fc0d0ef1256b515a93ede033006e0ad0f03f3eb24e
SHA512 1dedf96fcc75d0af21590e7d13b2b44293af4e6d4e1080adb022e32799074c612b058d777e94a35bf552b73a518c1bceb6f0b4fa4d1387cf29e7ce7655182316

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b255065fd0c5300b3f41f33a114f6366
SHA1 27fce790b1cc6c19064219ea9f900174964ebb6b
SHA256 88b482f2f78260f02d07dd80d4930da0f3d95d2fb6431067e771b23c261965d7
SHA512 05e104dc943fbdd0c1510e72f15a8bbf8c9b5c9b6ef972fb79836cc13218a6cee72f2fa357c4eea214e5482b079b1f02860d14a1d9825d5aa614cf9320e00994

memory/3152-538-0x00000000091C0000-0x0000000009210000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 84934c3ab719a82949cd931d7670e2f6
SHA1 1daf1fff326622fa4cea3041bebc531b081c29da
SHA256 9c32f9f94e227feee5672a2b6f60e7370abaa61406ac0da62542e55d112b5dae
SHA512 c2809a5176d88f8910f4d55e4818ce5c00e5d10fa7bb7b2e13f9c1091af68a6ecab395b3810406bea43da499dda834fd632cc1330b37dec0a9f62ea4843a7416

memory/3832-566-0x000000000A5D0000-0x000000000A5EE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c47748326e1f1273195970a095e2c0c6
SHA1 11419ca422c1dd39ea17831fc2fd8e81b976ec18
SHA256 e98a013e1be307fb0ca03f48eb96d4465cde7452e467acb7633d9bbcc4ddf514
SHA512 f17ec20c511657e5ba5255862de9794315d5e2216d79e090a09d39c7db5e0be6e4b2a465a1aa2a416ff59b69f81b7b9d6ecd9b7bc0dd2dc6708428cd861d00b5

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Temp\tmpE1A5.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpE1CA.tmp

MD5 5b39e7698deffeb690fbd206e7640238
SHA1 327f6e6b5d84a0285eefe9914a067e9b51251863
SHA256 53209f64c96b342ff3493441cefa4f49d50f028bd1e5cc45fe1d8b4c9d9a38f8
SHA512 f1f9bc156af008b9686d5e76f41c40e5186f563f416c73c3205e6242b41539516b02f62a1d9f6bcc608ccde759c81def339ccd1633bc8acdd6a69dc4a6477cc7

C:\Users\Admin\AppData\Local\Temp\tmpE22A.tmp

MD5 951e509e3c224453f9f99c1fc364e563
SHA1 af56148cb940db2e7463e21c4dbaaf6af31c2b83
SHA256 9e750b38c2704f2b23656be5b4b9ec1f04c9fcfab1d57d982443b01e940554f4
SHA512 dcead849e87177ecf79c16116a50f2298d38b8855c5b4feeba58a3da6ccbf51113939f4905283b823bd7d51717adac8b4cd630a13624827491978be5a407f6ca

C:\Users\Admin\AppData\Local\Temp\tmpE215.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmpE27A.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

memory/3832-755-0x0000000073030000-0x00000000737E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE2B5.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 7a7cb264e96769becd64072b3f895d5b
SHA1 64951ac9833e89b077d08a96125aa48db55682e8
SHA256 9ad0463d900a0fa1c5aa820104309fa3e52b4e0a85de12b3393dc036e09f85d5
SHA512 6a0f4631e99cb0c78afe09ed9587774c4cf1d78e6273ce7fbd7347961295c9ef0c2df0c2a451dfb9ea60af23d86d95eab610f1ec9bbc1a9849b83cc8c1d16c0b

memory/4240-767-0x0000000073030000-0x00000000737E0000-memory.dmp

memory/3152-769-0x0000000073030000-0x00000000737E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e646884122ac274c41310c986f57b0a4
SHA1 96861b4285a03c61001bdb0954413acac89f733b
SHA256 26f026dd79dae19c483777447dbd387796e0e392351fe41a85e2f0b91717fb3a
SHA512 09f27452fadf032abc05cd6d7fd3e5a8c8eb8496510b12e156b27bd97a1c69f4874607a3634394b13ec6db5a682bf59056da1b68fe32cc476294e167844fa23d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 837330f70a34578b8eb3ec2dc66c645a
SHA1 d6502e5bf0140fe0bede660a4300c81a1ecee69d
SHA256 de0ea7bf8d0dfb6f27b4be7dd84ea5850efb0fd2cbe1ce8c940326ebad31ced1
SHA512 1e0df85378e95ab99ae65b237dac0ee25a21c0c3a37883a5fde95fc75f477152760b23e8d344e0a7dfa9e1ac6710a873f40e3a58905ecd21f622b9ef00417f5e