Malware Analysis Report

2025-08-05 19:01

Sample ID 231019-h57g9sga68
Target 4afef9b6e4cadbab55e69e697cca9065eaa671cb054a4c9738cbf57c770e2646
SHA256 4afef9b6e4cadbab55e69e697cca9065eaa671cb054a4c9738cbf57c770e2646
Tags
amadey dcrat redline sectoprat smokeloader 5141679758_99 @ytlogsbot breha kukish pixelscloud2.0 backdoor microsoft discovery evasion infostealer persistence phishing rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4afef9b6e4cadbab55e69e697cca9065eaa671cb054a4c9738cbf57c770e2646

Threat Level: Known bad

The file 4afef9b6e4cadbab55e69e697cca9065eaa671cb054a4c9738cbf57c770e2646 was found to be: Known bad.

Malicious Activity Summary

amadey dcrat redline sectoprat smokeloader 5141679758_99 @ytlogsbot breha kukish pixelscloud2.0 backdoor microsoft discovery evasion infostealer persistence phishing rat spyware stealer trojan

RedLine

Modifies Windows Defender Real-time Protection settings

DcRat

Amadey

SmokeLoader

SectopRAT payload

RedLine payload

SectopRAT

Downloads MZ/PE file

Modifies Windows Firewall

Windows security modification

Reads user/profile data of web browsers

Uses the VBS compiler for execution

.NET Reactor proctector

Reads user/profile data of local email clients

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Suspicious use of SetThreadContext

Detected potential entity reuse from brand microsoft.

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Unsigned PE

Enumerates physical storage devices

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-19 07:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-19 07:20

Reported

2023-10-19 07:22

Platform

win10v2004-20230915-en

Max time kernel

89s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4afef9b6e4cadbab55e69e697cca9065eaa671cb054a4c9738cbf57c770e2646.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4afef9b6e4cadbab55e69e697cca9065eaa671cb054a4c9738cbf57c770e2646.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CM81mj5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\4C0C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\4C0C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\4C0C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\4C0C.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CM81mj5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CM81mj5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CM81mj5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CM81mj5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CM81mj5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\4C0C.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4D07.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6B33.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ko6TR23.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gG1OZ87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ab8Te67.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Op5dz71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CM81mj5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2MK4476.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3yT55HH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Tl662wO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4801.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\48CD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jT7WX3mZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ek6wQ5FL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4AE2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dw9Gs4HD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\RD2iy3HK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Rj59Ps2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4C0C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4D07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4EEC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4FB8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2EV834vR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5111.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5A3A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6B33.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6D28.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6EBF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70D3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000529001\Robo_Ocr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GBKPF.tmp\Robo_Ocr.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GBKPF.tmp\Robo_Ocr.tmp N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Uses the VBS compiler for execution

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CM81mj5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CM81mj5.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\4C0C.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup6 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP006.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dw9Gs4HD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4afef9b6e4cadbab55e69e697cca9065eaa671cb054a4c9738cbf57c770e2646.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gG1OZ87.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ab8Te67.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Op5dz71.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ek6wQ5FL.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ko6TR23.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4801.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jT7WX3mZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup7 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP007.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\RD2iy3HK.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\6EBF.exe'\"" C:\Users\Admin\AppData\Local\Temp\6EBF.exe N/A

Checks installed software on the system

discovery

Detected potential entity reuse from brand microsoft.

phishing microsoft

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4480 set thread context of 2324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3yT55HH.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3yT55HH.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3yT55HH.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CM81mj5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CM81mj5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3yT55HH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3yT55HH.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3yT55HH.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CM81mj5.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4C0C.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\4FB8.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5111.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3552 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\4afef9b6e4cadbab55e69e697cca9065eaa671cb054a4c9738cbf57c770e2646.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ko6TR23.exe
PID 3552 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\4afef9b6e4cadbab55e69e697cca9065eaa671cb054a4c9738cbf57c770e2646.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ko6TR23.exe
PID 3552 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\4afef9b6e4cadbab55e69e697cca9065eaa671cb054a4c9738cbf57c770e2646.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ko6TR23.exe
PID 3228 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ko6TR23.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gG1OZ87.exe
PID 3228 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ko6TR23.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gG1OZ87.exe
PID 3228 wrote to memory of 4916 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ko6TR23.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gG1OZ87.exe
PID 4916 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gG1OZ87.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ab8Te67.exe
PID 4916 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gG1OZ87.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ab8Te67.exe
PID 4916 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gG1OZ87.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ab8Te67.exe
PID 4112 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ab8Te67.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Op5dz71.exe
PID 4112 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ab8Te67.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Op5dz71.exe
PID 4112 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ab8Te67.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Op5dz71.exe
PID 116 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Op5dz71.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CM81mj5.exe
PID 116 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Op5dz71.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CM81mj5.exe
PID 116 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Op5dz71.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CM81mj5.exe
PID 116 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Op5dz71.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2MK4476.exe
PID 116 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Op5dz71.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2MK4476.exe
PID 116 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Op5dz71.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2MK4476.exe
PID 4112 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ab8Te67.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3yT55HH.exe
PID 4112 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ab8Te67.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3yT55HH.exe
PID 4112 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ab8Te67.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3yT55HH.exe
PID 4916 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gG1OZ87.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Tl662wO.exe
PID 4916 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gG1OZ87.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Tl662wO.exe
PID 4916 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gG1OZ87.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Tl662wO.exe
PID 3084 wrote to memory of 4692 N/A N/A C:\Users\Admin\AppData\Local\Temp\4801.exe
PID 3084 wrote to memory of 4692 N/A N/A C:\Users\Admin\AppData\Local\Temp\4801.exe
PID 3084 wrote to memory of 4692 N/A N/A C:\Users\Admin\AppData\Local\Temp\4801.exe
PID 3084 wrote to memory of 1840 N/A N/A C:\Users\Admin\AppData\Local\Temp\48CD.exe
PID 3084 wrote to memory of 1840 N/A N/A C:\Users\Admin\AppData\Local\Temp\48CD.exe
PID 3084 wrote to memory of 1840 N/A N/A C:\Users\Admin\AppData\Local\Temp\48CD.exe
PID 4692 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\4801.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jT7WX3mZ.exe
PID 4692 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\4801.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jT7WX3mZ.exe
PID 4692 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\4801.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jT7WX3mZ.exe
PID 3084 wrote to memory of 2912 N/A N/A C:\Windows\system32\cmd.exe
PID 3084 wrote to memory of 2912 N/A N/A C:\Windows\system32\cmd.exe
PID 2868 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jT7WX3mZ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ek6wQ5FL.exe
PID 2868 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jT7WX3mZ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ek6wQ5FL.exe
PID 2868 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jT7WX3mZ.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ek6wQ5FL.exe
PID 3084 wrote to memory of 2744 N/A N/A C:\Users\Admin\AppData\Local\Temp\4AE2.exe
PID 3084 wrote to memory of 2744 N/A N/A C:\Users\Admin\AppData\Local\Temp\4AE2.exe
PID 3084 wrote to memory of 2744 N/A N/A C:\Users\Admin\AppData\Local\Temp\4AE2.exe
PID 2520 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ek6wQ5FL.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dw9Gs4HD.exe
PID 2520 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ek6wQ5FL.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dw9Gs4HD.exe
PID 2520 wrote to memory of 3320 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ek6wQ5FL.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dw9Gs4HD.exe
PID 3320 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dw9Gs4HD.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\RD2iy3HK.exe
PID 3320 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dw9Gs4HD.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\RD2iy3HK.exe
PID 3320 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dw9Gs4HD.exe C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\RD2iy3HK.exe
PID 1204 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\RD2iy3HK.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Rj59Ps2.exe
PID 1204 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\RD2iy3HK.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Rj59Ps2.exe
PID 1204 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\RD2iy3HK.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Rj59Ps2.exe
PID 3084 wrote to memory of 2532 N/A N/A C:\Users\Admin\AppData\Local\Temp\4C0C.exe
PID 3084 wrote to memory of 2532 N/A N/A C:\Users\Admin\AppData\Local\Temp\4C0C.exe
PID 3084 wrote to memory of 2532 N/A N/A C:\Users\Admin\AppData\Local\Temp\4C0C.exe
PID 3084 wrote to memory of 4348 N/A N/A C:\Users\Admin\AppData\Local\Temp\4D07.exe
PID 3084 wrote to memory of 4348 N/A N/A C:\Users\Admin\AppData\Local\Temp\4D07.exe
PID 3084 wrote to memory of 4348 N/A N/A C:\Users\Admin\AppData\Local\Temp\4D07.exe
PID 3084 wrote to memory of 3712 N/A N/A C:\Users\Admin\AppData\Local\Temp\4EEC.exe
PID 3084 wrote to memory of 3712 N/A N/A C:\Users\Admin\AppData\Local\Temp\4EEC.exe
PID 3084 wrote to memory of 3712 N/A N/A C:\Users\Admin\AppData\Local\Temp\4EEC.exe
PID 3084 wrote to memory of 3820 N/A N/A C:\Users\Admin\AppData\Local\Temp\4FB8.exe
PID 3084 wrote to memory of 3820 N/A N/A C:\Users\Admin\AppData\Local\Temp\4FB8.exe
PID 3084 wrote to memory of 3820 N/A N/A C:\Users\Admin\AppData\Local\Temp\4FB8.exe
PID 1204 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\RD2iy3HK.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2EV834vR.exe
PID 1204 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\RD2iy3HK.exe C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2EV834vR.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4afef9b6e4cadbab55e69e697cca9065eaa671cb054a4c9738cbf57c770e2646.exe

"C:\Users\Admin\AppData\Local\Temp\4afef9b6e4cadbab55e69e697cca9065eaa671cb054a4c9738cbf57c770e2646.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ko6TR23.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ko6TR23.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gG1OZ87.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gG1OZ87.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ab8Te67.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ab8Te67.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Op5dz71.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Op5dz71.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CM81mj5.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CM81mj5.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2MK4476.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2MK4476.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3yT55HH.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3yT55HH.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Tl662wO.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Tl662wO.exe

C:\Users\Admin\AppData\Local\Temp\4801.exe

C:\Users\Admin\AppData\Local\Temp\4801.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jT7WX3mZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jT7WX3mZ.exe

C:\Users\Admin\AppData\Local\Temp\48CD.exe

C:\Users\Admin\AppData\Local\Temp\48CD.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\49C8.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ek6wQ5FL.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ek6wQ5FL.exe

C:\Users\Admin\AppData\Local\Temp\4AE2.exe

C:\Users\Admin\AppData\Local\Temp\4AE2.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dw9Gs4HD.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dw9Gs4HD.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Rj59Ps2.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Rj59Ps2.exe

C:\Users\Admin\AppData\Local\Temp\4C0C.exe

C:\Users\Admin\AppData\Local\Temp\4C0C.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\RD2iy3HK.exe

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\RD2iy3HK.exe

C:\Users\Admin\AppData\Local\Temp\4D07.exe

C:\Users\Admin\AppData\Local\Temp\4D07.exe

C:\Users\Admin\AppData\Local\Temp\4EEC.exe

C:\Users\Admin\AppData\Local\Temp\4EEC.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2EV834vR.exe

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2EV834vR.exe

C:\Users\Admin\AppData\Local\Temp\5111.exe

C:\Users\Admin\AppData\Local\Temp\5111.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\5A3A.exe

C:\Users\Admin\AppData\Local\Temp\5A3A.exe

C:\Users\Admin\AppData\Local\Temp\4FB8.exe

C:\Users\Admin\AppData\Local\Temp\4FB8.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xf8,0x12c,0x7ffd645a46f8,0x7ffd645a4708,0x7ffd645a4718

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Users\Admin\AppData\Local\Temp\6B33.exe

C:\Users\Admin\AppData\Local\Temp\6B33.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\6EBF.exe

C:\Users\Admin\AppData\Local\Temp\6EBF.exe

C:\Users\Admin\AppData\Local\Temp\6D28.exe

C:\Users\Admin\AppData\Local\Temp\6D28.exe

C:\Users\Admin\AppData\Local\Temp\70D3.exe

C:\Users\Admin\AppData\Local\Temp\70D3.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffd645a46f8,0x7ffd645a4708,0x7ffd645a4718

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,5533016280186428946,15795311167321541629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,5533016280186428946,15795311167321541629,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=4EEC.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,5533016280186428946,15795311167321541629,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd645a46f8,0x7ffd645a4708,0x7ffd645a4718

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5533016280186428946,15795311167321541629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5533016280186428946,15795311167321541629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5533016280186428946,15795311167321541629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,10656480892633443829,2795442854936133744,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5533016280186428946,15795311167321541629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,5533016280186428946,15795311167321541629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000529001\Robo_Ocr.exe

"C:\Users\Admin\AppData\Local\Temp\1000529001\Robo_Ocr.exe"

C:\Users\Admin\AppData\Local\Temp\is-GBKPF.tmp\Robo_Ocr.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GBKPF.tmp\Robo_Ocr.tmp" /SL5="$D0172,922170,832512,C:\Users\Admin\AppData\Local\Temp\1000529001\Robo_Ocr.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=6D28.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd72f446f8,0x7ffd72f44708,0x7ffd72f44718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,16072136345234886833,8775565063811784377,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,16072136345234886833,8775565063811784377,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,16072136345234886833,8775565063811784377,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16072136345234886833,8775565063811784377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16072136345234886833,8775565063811784377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16072136345234886833,8775565063811784377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=6D28.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd72f446f8,0x7ffd72f44708,0x7ffd72f44718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16072136345234886833,8775565063811784377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16072136345234886833,8775565063811784377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3748 /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16072136345234886833,8775565063811784377,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16072136345234886833,8775565063811784377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,16072136345234886833,8775565063811784377,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,16072136345234886833,8775565063811784377,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16072136345234886833,8775565063811784377,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16072136345234886833,8775565063811784377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=4EEC.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd72f446f8,0x7ffd72f44708,0x7ffd72f44718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16072136345234886833,8775565063811784377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,16072136345234886833,8775565063811784377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
RU 5.42.92.88:80 5.42.92.88 tcp
US 8.8.8.8:53 88.92.42.5.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 254.210.247.8.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
RU 5.42.92.88:80 5.42.92.88 tcp
FI 77.91.68.52:80 77.91.68.52 tcp
US 8.8.8.8:53 52.68.91.77.in-addr.arpa udp
RU 5.42.92.88:80 5.42.92.88 tcp
TR 185.216.70.222:80 185.216.70.222 tcp
US 8.8.8.8:53 222.70.216.185.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
IT 185.196.9.65:80 tcp
NL 85.209.176.128:80 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 65.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
TR 185.216.70.238:37515 tcp
US 8.8.8.8:53 238.70.216.185.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 59.82.57.23.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 hellouts.fun udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 188.114.97.1:80 hellouts.fun tcp
US 8.8.8.8:53 1.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 188.114.97.1:80 hellouts.fun tcp
US 8.8.8.8:53 dollarcontrols.online udp
US 146.190.140.154:443 dollarcontrols.online tcp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
US 8.8.8.8:53 154.140.190.146.in-addr.arpa udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
US 95.214.27.254:80 95.214.27.254 tcp
US 95.214.27.254:80 95.214.27.254 tcp
US 95.214.27.254:80 95.214.27.254 tcp
US 8.8.8.8:53 254.27.214.95.in-addr.arpa udp
US 188.114.97.1:80 hellouts.fun tcp
US 8.8.8.8:53 connecting-now.xyz udp
US 159.223.198.232:443 connecting-now.xyz tcp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
US 8.8.8.8:53 netdna.softdivshareware.com udp
SG 156.146.56.171:443 netdna.softdivshareware.com tcp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
US 8.8.8.8:53 232.198.223.159.in-addr.arpa udp
US 8.8.8.8:53 171.56.146.156.in-addr.arpa udp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
US 8.8.8.8:53 skysoft.online udp
US 8.8.8.8:53 176.25.221.88.in-addr.arpa udp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 skysoft.online udp
NL 85.209.176.128:80 tcp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
US 188.114.97.1:80 hellouts.fun tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 mdec.nelreports.net udp
FR 104.123.50.169:443 mdec.nelreports.net tcp
US 8.8.8.8:53 mscom.demdex.net udp
IE 34.250.238.79:443 mscom.demdex.net tcp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 169.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 79.238.250.34.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 20.42.65.89:443 browser.events.data.microsoft.com tcp
US 20.42.65.89:443 browser.events.data.microsoft.com tcp
US 20.42.65.89:443 browser.events.data.microsoft.com tcp
US 20.42.65.89:443 browser.events.data.microsoft.com tcp
US 20.42.65.89:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
US 8.8.8.8:53 2e90a76f-acc4-4e50-8b25-ba9763fc63fa.uuid.statsexplorer.org udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 server13.statsexplorer.org udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
JP 172.217.213.127:19302 stun4.l.google.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server13.statsexplorer.org tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 127.213.217.172.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
NL 85.209.176.128:80 tcp
BG 185.82.216.108:443 server13.statsexplorer.org tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
FI 77.91.124.55:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ko6TR23.exe

MD5 40bd0a5028e33a6ee00f17226057c5db
SHA1 4c3bd985babe9d184708bf5c5f9b001e0e504d0b
SHA256 0a04bd76163495d7aaacaa8cd798cda6a9504f377c3e5009d1a78a5158917362
SHA512 563dd9f1a7cdc92f7e847d2554c09651644631b58089f9fcd2ce5b9f2b9a796b43ac646bdd6ac26f1a4857a8f60a10054cf6bbc906e367a42479fd10e7e6a5b3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ko6TR23.exe

MD5 40bd0a5028e33a6ee00f17226057c5db
SHA1 4c3bd985babe9d184708bf5c5f9b001e0e504d0b
SHA256 0a04bd76163495d7aaacaa8cd798cda6a9504f377c3e5009d1a78a5158917362
SHA512 563dd9f1a7cdc92f7e847d2554c09651644631b58089f9fcd2ce5b9f2b9a796b43ac646bdd6ac26f1a4857a8f60a10054cf6bbc906e367a42479fd10e7e6a5b3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gG1OZ87.exe

MD5 4f3ec8a9ea81b36ea2e635c136e277ca
SHA1 78d084a12e056a32a5f59bd6a8a0053b3f608cd7
SHA256 9523d2911aa52d5f0830a9981fe920efda4217bbdcff7c5b75fda661e49c7533
SHA512 782712f05444367de04b271311f3d797514bc82b18bb611db2974bcf076fa65b1dc5f8bda5a1c812460ed2cf59e507afc82ef72132561e9c5c670273990ddbcc

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gG1OZ87.exe

MD5 4f3ec8a9ea81b36ea2e635c136e277ca
SHA1 78d084a12e056a32a5f59bd6a8a0053b3f608cd7
SHA256 9523d2911aa52d5f0830a9981fe920efda4217bbdcff7c5b75fda661e49c7533
SHA512 782712f05444367de04b271311f3d797514bc82b18bb611db2974bcf076fa65b1dc5f8bda5a1c812460ed2cf59e507afc82ef72132561e9c5c670273990ddbcc

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ab8Te67.exe

MD5 5f3f846a42876e33ab525e577a840d2d
SHA1 7f8fba6abe60db45aa8990460354fe351aeb51b6
SHA256 15dcc9c857dd8ba79454e545c94ed61b2d733d0584f849c7d6bc62df1e304dc6
SHA512 f181a3ded62bf28605e06d38a6cbf4b19ae494efa17f192240064a38e88fe6410250d8fc18809f64ebd59e6fe850adee7884399ff16d21d8080c6ce10fef6d78

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ab8Te67.exe

MD5 5f3f846a42876e33ab525e577a840d2d
SHA1 7f8fba6abe60db45aa8990460354fe351aeb51b6
SHA256 15dcc9c857dd8ba79454e545c94ed61b2d733d0584f849c7d6bc62df1e304dc6
SHA512 f181a3ded62bf28605e06d38a6cbf4b19ae494efa17f192240064a38e88fe6410250d8fc18809f64ebd59e6fe850adee7884399ff16d21d8080c6ce10fef6d78

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Op5dz71.exe

MD5 524698cf86914b8fc67a1ae685ff5127
SHA1 cf96a77c0fadadbfe14bc683577e52dfc5f6c280
SHA256 15b5bbea4af4579edcfc1b712f0dc2e953441d16eadc20b3928916519b6ce600
SHA512 a968ed30e05e94eaf0b1938f17eb0b8e125ec0ab6c33c551f7ebae71a0bf926ea8ac4ad96844f3a6f817cd32a4961bda0d34c8e419f0f41c73e1578418c73515

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Op5dz71.exe

MD5 524698cf86914b8fc67a1ae685ff5127
SHA1 cf96a77c0fadadbfe14bc683577e52dfc5f6c280
SHA256 15b5bbea4af4579edcfc1b712f0dc2e953441d16eadc20b3928916519b6ce600
SHA512 a968ed30e05e94eaf0b1938f17eb0b8e125ec0ab6c33c551f7ebae71a0bf926ea8ac4ad96844f3a6f817cd32a4961bda0d34c8e419f0f41c73e1578418c73515

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CM81mj5.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1CM81mj5.exe

MD5 22b50c95b39cbbdb00d5a4cd3d4886bd
SHA1 db8326c4fad0064ce3020226e8556e7cce8ce04e
SHA256 160ea596dea538000394fde4ba2d40fd2be5ab50037a77ba3000e927bff84ef1
SHA512 d53e872e03aac73cea2399170a0de74611496c0364ece1d81b8e7591aecc470edc57db63586ceda4bc82589e3b8f39668c49464d962e750dc86099736599f9ac

memory/4180-35-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/4180-36-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

memory/4180-37-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/4180-39-0x0000000074530000-0x0000000074CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2MK4476.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2MK4476.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

memory/2020-46-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3yT55HH.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3yT55HH.exe

MD5 35a15fad3767597b01a20d75c3c6889a
SHA1 eef19e2757667578f73c4b5720cf94c2ab6e60c8
SHA256 90ccd84f28e4dd03fb70b8739c4636acbcf8a030404b5a24264afd1acd09ecbc
SHA512 c1ea2659e28130f00869391a33dfdc2a763a710a56de2acaa6c71caa9c1eb5809e7ca1dfa1620ac5c3174052d3e277b832853a137a4663483855295fdab23577

memory/3084-47-0x00000000028E0000-0x00000000028F6000-memory.dmp

memory/2020-48-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Tl662wO.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Tl662wO.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

memory/3384-54-0x0000000000280000-0x00000000002BE000-memory.dmp

memory/3384-55-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/3384-56-0x00000000074B0000-0x0000000007A54000-memory.dmp

memory/3384-57-0x0000000007000000-0x0000000007092000-memory.dmp

memory/3384-58-0x0000000007110000-0x0000000007120000-memory.dmp

memory/3384-59-0x0000000007100000-0x000000000710A000-memory.dmp

memory/3384-60-0x0000000008080000-0x0000000008698000-memory.dmp

memory/3384-61-0x0000000007A60000-0x0000000007B6A000-memory.dmp

memory/3384-62-0x00000000072E0000-0x00000000072F2000-memory.dmp

memory/3384-63-0x0000000007340000-0x000000000737C000-memory.dmp

memory/3384-64-0x0000000007380000-0x00000000073CC000-memory.dmp

memory/3084-65-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/3084-67-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/3084-68-0x0000000004250000-0x0000000004260000-memory.dmp

memory/3084-66-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/3084-69-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/3084-70-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/3084-71-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/3084-73-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/3084-75-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/3084-79-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/3084-78-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/3384-77-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/3084-76-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/3084-81-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/3084-82-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/3084-84-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/3084-83-0x00000000008D0000-0x00000000008E0000-memory.dmp

memory/3084-86-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/3084-87-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/3084-88-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/3084-91-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/3084-90-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/3384-93-0x0000000007110000-0x0000000007120000-memory.dmp

memory/3084-92-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/3084-94-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/3084-95-0x0000000002B40000-0x0000000002B50000-memory.dmp

memory/3084-96-0x00000000008D0000-0x00000000008E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4801.exe

MD5 af25dec4bdebd7bea6ffc9cbc9ed00f8
SHA1 e8439456c03e2a3aaceb298eb7f9cd63aa8954dd
SHA256 96d59c7b7ec0e3f14b165b39bc70aa4e37da7a08af4ee1e0131b6b31f77d1d7b
SHA512 7f50d6e2a08fe34e6fec7467399260da9d0836fa5c28ba1243ae140b447d71474f0124a519c424dec6aca2010a5141f228ceace9fe1f0260a2851e6e8932e1bc

C:\Users\Admin\AppData\Local\Temp\4801.exe

MD5 af25dec4bdebd7bea6ffc9cbc9ed00f8
SHA1 e8439456c03e2a3aaceb298eb7f9cd63aa8954dd
SHA256 96d59c7b7ec0e3f14b165b39bc70aa4e37da7a08af4ee1e0131b6b31f77d1d7b
SHA512 7f50d6e2a08fe34e6fec7467399260da9d0836fa5c28ba1243ae140b447d71474f0124a519c424dec6aca2010a5141f228ceace9fe1f0260a2851e6e8932e1bc

C:\Users\Admin\AppData\Local\Temp\48CD.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\48CD.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jT7WX3mZ.exe

MD5 d0451eea7fca6cc3dd97ea7e2bcf58df
SHA1 69c718c4375ae1139490c3bc82d488292310cb8c
SHA256 f8e814e6ce689798fd31a8f24571abc984bc89c2979bd0b7083a563af1d5b594
SHA512 5e6fea0eabb5e8bcadf1134d2cc676e59ba6382fe4cf6d3ef49275d9e002c2066bc31939c1d57c9f940c747d808b03d2983fce12a37a77cc9847911e26e320f2

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\jT7WX3mZ.exe

MD5 d0451eea7fca6cc3dd97ea7e2bcf58df
SHA1 69c718c4375ae1139490c3bc82d488292310cb8c
SHA256 f8e814e6ce689798fd31a8f24571abc984bc89c2979bd0b7083a563af1d5b594
SHA512 5e6fea0eabb5e8bcadf1134d2cc676e59ba6382fe4cf6d3ef49275d9e002c2066bc31939c1d57c9f940c747d808b03d2983fce12a37a77cc9847911e26e320f2

C:\Users\Admin\AppData\Local\Temp\48CD.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ek6wQ5FL.exe

MD5 17773f33c2ab365cb08dc96ba20d553b
SHA1 09f6eb4b3e4a2fe9ddc5675d0a1fcb7d3b462669
SHA256 56c9110a494338774aecf31ec146bccc0fefe2f8e394c579d702b555f540c1a5
SHA512 da83324bf57569911286b244bc1fbe1acf26b69dae1bcce50896ddd0ae851cca6403c8d1e16c1df24484c89ab0f0a47c82c9f6c4e11d5606d3fec58755f76229

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ek6wQ5FL.exe

MD5 17773f33c2ab365cb08dc96ba20d553b
SHA1 09f6eb4b3e4a2fe9ddc5675d0a1fcb7d3b462669
SHA256 56c9110a494338774aecf31ec146bccc0fefe2f8e394c579d702b555f540c1a5
SHA512 da83324bf57569911286b244bc1fbe1acf26b69dae1bcce50896ddd0ae851cca6403c8d1e16c1df24484c89ab0f0a47c82c9f6c4e11d5606d3fec58755f76229

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\4GF921jh.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\4AE2.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dw9Gs4HD.exe

MD5 6a6bd1f6f7917d26ff87cbde37f369a3
SHA1 b2955859f836202da9c46a34ae6a577b2a101916
SHA256 e0730c692b8faa23f9f5d8970987dfcf10771430392f33b39ed6c81abab6c568
SHA512 00c8b4fe1a278ce549e5eace28da28c077a55e29d32d4cc55a2691babf58bb0788527e3d0b1383d725c484b074cd2ab615e3f9b67c1d6d05bb1069aa6affcd6f

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\dw9Gs4HD.exe

MD5 6a6bd1f6f7917d26ff87cbde37f369a3
SHA1 b2955859f836202da9c46a34ae6a577b2a101916
SHA256 e0730c692b8faa23f9f5d8970987dfcf10771430392f33b39ed6c81abab6c568
SHA512 00c8b4fe1a278ce549e5eace28da28c077a55e29d32d4cc55a2691babf58bb0788527e3d0b1383d725c484b074cd2ab615e3f9b67c1d6d05bb1069aa6affcd6f

C:\Users\Admin\AppData\Local\Temp\4AE2.exe

MD5 8905918bd7e4f4aeda3a804d81f9ee40
SHA1 3c488a81539116085a1c22df26085f798f7202c8
SHA256 0978a728ad05915e0be6a7283d30acca18893ef7a4b0939d316de70415e0efde
SHA512 6530c4209651aa34f4c91fe5b737dc933f02a8ea3710a6f3fa0bff3130720740de4bec308b35cb31255cec6c85e585036af849ace6e6268ef1d9f9a761fe6a56

C:\Users\Admin\AppData\Local\Temp\49C8.bat

MD5 403991c4d18ac84521ba17f264fa79f2
SHA1 850cc068de0963854b0fe8f485d951072474fd45
SHA256 ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512 a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\RD2iy3HK.exe

MD5 2c2a5e8f0e8912799c2dd60997d19d51
SHA1 86fe15919bde64a3504d1832d5e4a9478017623b
SHA256 5501fe6a916950325661b0b33253b1e8cc5ec3abf16b06d3f34e46a5391cdf6d
SHA512 e443dda8cc22b574b93a020668b159ce3884d5566dffe293fb7f75749d9d74fdebc97c9659c2aa97bd732161e61520f7192e9cc3334412e3c32fdc168cb98633

memory/2744-145-0x0000000074530000-0x0000000074CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Rj59Ps2.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\1Rj59Ps2.exe

MD5 53e28e07671d832a65fbfe3aa38b6678
SHA1 6f9ea0ed8109030511c2c09c848f66bd0d16d1e1
SHA256 5c59db3277aefb761d4b814aaf5f5acd1fd1a0ea154dc565c78b082a3df4566e
SHA512 053f8048230583e741c34f6714c9684ed1312c064cd0c81d99f09e20192b7ddecb53c9c55e4aceac774315315be7e13de98f2cea4e5487f2d9e9dfa2ce3979c9

C:\Users\Admin\AppData\Local\Temp\4C0C.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

C:\Users\Admin\AppData\Local\Temp\4C0C.exe

MD5 425e2a994509280a8c1e2812dfaad929
SHA1 4d5eff2fb3835b761e2516a873b537cbaacea1fe
SHA256 6f40f29ad16466785dfbe836dd375400949ff894e8aa03e2805ab1c1ac2d6f5a
SHA512 080a41e7926122e14b38901f2e1eb8100a08c5068a9a74099f060c5e601f056a66e607b4e006820276834bb01d913a3894de98e6d9ba62ce843df14058483aa0

C:\Users\Admin\AppData\Local\Temp\IXP006.TMP\RD2iy3HK.exe

MD5 2c2a5e8f0e8912799c2dd60997d19d51
SHA1 86fe15919bde64a3504d1832d5e4a9478017623b
SHA256 5501fe6a916950325661b0b33253b1e8cc5ec3abf16b06d3f34e46a5391cdf6d
SHA512 e443dda8cc22b574b93a020668b159ce3884d5566dffe293fb7f75749d9d74fdebc97c9659c2aa97bd732161e61520f7192e9cc3334412e3c32fdc168cb98633

memory/2532-155-0x00000000023C0000-0x00000000023E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4D07.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2744-154-0x0000000007160000-0x0000000007170000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4D07.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2532-162-0x0000000002600000-0x000000000261E000-memory.dmp

memory/2532-167-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

memory/2532-164-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

memory/2532-163-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

memory/2532-161-0x0000000074530000-0x0000000074CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4FB8.exe

MD5 7f28547a6060699461824f75c96feaeb
SHA1 744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256 ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512 eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

memory/2532-173-0x0000000002600000-0x0000000002618000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2EV834vR.exe

MD5 639251032dd1eeb4197f8678c75ab2ce
SHA1 df37763019ea08baa9c83d49c9ba0e7b74f043cb
SHA256 23c7868d7a32df552d2469799fde43c9b5598cf565bca235f348244df8ae6aa8
SHA512 0527623796749056740af2f9f70e772b3f65e7e52397170d324848fbf98605556057d221ea21816448402a888549fded975e29227797f770cb62ba9a22f54016

memory/2532-178-0x0000000002600000-0x0000000002618000-memory.dmp

memory/2532-183-0x0000000002600000-0x0000000002618000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP007.TMP\2EV834vR.exe

MD5 639251032dd1eeb4197f8678c75ab2ce
SHA1 df37763019ea08baa9c83d49c9ba0e7b74f043cb
SHA256 23c7868d7a32df552d2469799fde43c9b5598cf565bca235f348244df8ae6aa8
SHA512 0527623796749056740af2f9f70e772b3f65e7e52397170d324848fbf98605556057d221ea21816448402a888549fded975e29227797f770cb62ba9a22f54016

memory/2532-193-0x0000000002600000-0x0000000002618000-memory.dmp

memory/1788-190-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/2532-195-0x0000000002600000-0x0000000002618000-memory.dmp

memory/3476-198-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/1788-202-0x0000000007F10000-0x0000000007F20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2532-206-0x0000000002600000-0x0000000002618000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4FB8.exe

MD5 7f28547a6060699461824f75c96feaeb
SHA1 744195a7d3ef1aa32dcb99d15f73e26a20813259
SHA256 ba3b1b5a5e8a3f8c2564d2f90cfdf293a4f75fd366d7b8af12f809acdcac7bff
SHA512 eb53cfc30d0a19fcbddcf36a3abc66860325d9ff029fd83e9363f9274b76f87ac444bc693f43031b5d2f4b53a594bc557036ce6dc31d052d467c75ccc1040239

memory/3820-209-0x0000000000960000-0x000000000097E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/2532-210-0x0000000002600000-0x0000000002618000-memory.dmp

memory/2532-201-0x0000000002600000-0x0000000002618000-memory.dmp

memory/2532-219-0x0000000002600000-0x0000000002618000-memory.dmp

memory/3476-216-0x0000000007E80000-0x0000000007E90000-memory.dmp

memory/3820-213-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/2532-212-0x0000000002600000-0x0000000002618000-memory.dmp

memory/3712-214-0x0000000002100000-0x000000000215A000-memory.dmp

memory/3476-197-0x0000000000FA0000-0x0000000000FFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4EEC.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

C:\Users\Admin\AppData\Local\Temp\5111.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

C:\Users\Admin\AppData\Local\Temp\5111.exe

MD5 20e21e63bb7a95492aec18de6aa85ab9
SHA1 6cbf2079a42d86bf155c06c7ad5360c539c02b15
SHA256 96a9eeeaa9aace1dd6eb0ba2789bb155b64f7c45dc9bcd34b8cd34a1f33e7d17
SHA512 73eb9426827ba05a432d66d750b5988e4bb9c58b34de779163a61727c3df8d272ef455d5f27684f0054bb3af725106f1fadbae3afa3f1f6de655b8d947a82b33

memory/1788-187-0x0000000000FF0000-0x000000000102E000-memory.dmp

memory/2532-171-0x0000000002600000-0x0000000002618000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4EEC.exe

MD5 b9fbf1ffd7f18fa178219df9e5a4d7f9
SHA1 be2d63df44dbbb754fc972e18adf9d56a1adcce4
SHA256 07c4357e3f13e6603800a36e787d3c2aa1f73bf94185a8ac8de727986ab3799f
SHA512 ec1687d97497a91c75ac1cb7c121bd7e4545d32dcc196c916e0c97ac1b8e4472bee15685cea7e7e174f22467766bdff8268ea57c05e40ce0ddde9d03c1b223e8

memory/2532-225-0x0000000002600000-0x0000000002618000-memory.dmp

memory/3820-226-0x0000000005250000-0x0000000005260000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5A3A.exe

MD5 a8eb605b301ac27461ce89d51a4d73ce
SHA1 f3e2120787f20577963189b711567cc5d7b19d4e
SHA256 7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512 372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a

memory/2532-229-0x0000000002600000-0x0000000002618000-memory.dmp

memory/3712-223-0x0000000000400000-0x0000000000470000-memory.dmp

memory/2532-231-0x0000000002600000-0x0000000002618000-memory.dmp

memory/2532-233-0x0000000002600000-0x0000000002618000-memory.dmp

memory/2532-235-0x0000000002600000-0x0000000002618000-memory.dmp

memory/2532-237-0x0000000002600000-0x0000000002618000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5A3A.exe

MD5 a8eb605b301ac27461ce89d51a4d73ce
SHA1 f3e2120787f20577963189b711567cc5d7b19d4e
SHA256 7ed107b061c998c5c5c69d16282f63a64f65d46656cad2b98320ed3303b9fe61
SHA512 372fbba38af7f4d571e8c22c773057e472ade25892268dc071cbfa0b18ebbf867c366f691033ad375f304b4d05735925c82bb1f82bc45e53400b31497813be6a

memory/3476-239-0x0000000008950000-0x00000000089B6000-memory.dmp

memory/2324-241-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2744-240-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/2532-243-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/4480-247-0x00000000005B0000-0x00000000006CB000-memory.dmp

memory/2744-250-0x0000000007160000-0x0000000007170000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6B33.exe

MD5 5678c3a93dafcd5ba94fd33528c62276
SHA1 8cdd901481b7080e85b6c25c18226a005edfdb74
SHA256 2d620c7feb27b4866579c6156df1ec547bfc22ad0aef00752ea8c6b083b8b73d
SHA512 b0af8a06202a7626f750a969b3ed123da032df9a960f5071cb45e53160750acff926a40c3802f2520ccae4b08f4ea5e6b50107c84fe991f2104371998afef4b7

memory/4124-257-0x0000000000720000-0x0000000000B78000-memory.dmp

memory/4480-256-0x00000000005B0000-0x00000000006CB000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

memory/2324-265-0x0000000074530000-0x0000000074CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6EBF.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/2532-267-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6EBF.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\6D28.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

memory/2532-255-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6B33.exe

MD5 5678c3a93dafcd5ba94fd33528c62276
SHA1 8cdd901481b7080e85b6c25c18226a005edfdb74
SHA256 2d620c7feb27b4866579c6156df1ec547bfc22ad0aef00752ea8c6b083b8b73d
SHA512 b0af8a06202a7626f750a969b3ed123da032df9a960f5071cb45e53160750acff926a40c3802f2520ccae4b08f4ea5e6b50107c84fe991f2104371998afef4b7

memory/2532-253-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

memory/4124-273-0x0000000074530000-0x0000000074CE0000-memory.dmp

memory/1788-278-0x0000000074530000-0x0000000074CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\70D3.exe

MD5 d5752c23e575b5a1a1cc20892462634a
SHA1 132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256 c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512 ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8

C:\Users\Admin\AppData\Local\Temp\6D28.exe

MD5 42d97769a8cfdfedac8e03f6903e076b
SHA1 01c6791e564bdbc0e7c6e2fdbdf4fdadc010ffbe
SHA256 f9670a844453e56898ed4c23afe57dfa2cd20f28ae8e97df4c7304371e1b179b
SHA512 38d2ae5ded48543d8ceb4c4a2a7ebd3287c4b720fe4133080f64e9ebd4403e8ee66301885c20164c9b4fb48536a107fd21f03689332685fcd3214075feadbd77

C:\Users\Admin\AppData\Local\Temp\70D3.exe

MD5 d5752c23e575b5a1a1cc20892462634a
SHA1 132e347a010ea0c809844a4d90bcc0414a11da3f
SHA256 c5fe2da1631fc00183d774e19083e5bb472779e8e5640df7a939b30da28863fb
SHA512 ae23ef6b5f6566384411343596a11242b0b3d4ae51f4c8f575c8b011ee59ecfde92f7b73352240d1113f7594a3f3f87b488d98b53908e27cdd4523b65613e9e8

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/1968-299-0x00000000001C0000-0x00000000001DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fd848615b0c0cd0df09a33afedcd91f2
SHA1 d38cd91ab5106ae2bf43bd4f0923ff476cb1ec89
SHA256 f4519c8dd35ff998c10910ef4fea00b148fbc37f173d5ced124e2831ce312cc9
SHA512 b415df4ce5c8d9e358b06e3c88f65b9307561f6c827c7a42aa32b0ed9e0b69b6789efc880733388abc0eaa65cb053710d57e985eadfd3ca42e37cedf231a49d3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 81e4fc7bd0ee078ccae9523fa5cb17a3
SHA1 4d25ca2e8357dc2688477b45247d02a3967c98a4
SHA256 c867c3bda7b6f6bd228a4d7656c069bd6cf4f67ba4b075cf4113f5b109e7d9ee
SHA512 4cfc68d7450ecdeaa56db50297bd233857b8a92265f57bfadb33ab9eb8bafbd77d8db609f8419a48f20ba0e7f8ad62063fd338536cd6319d1ed830405100ed22

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ddb87c57cac97e0d47a339b1ae2ce274
SHA1 51af75b49229a6f58746da04f840a669d917d266
SHA256 663c06023f143e8df5a2401a804b62ad01938aacd3b88e28c80953a7eb16cdee
SHA512 6008a82943414fab3fbbf42ea7394ae1db11134bd2e08a4d18eadf2ed396a56d75c636ff154b0fc9d3dac79bba714ee04533c8e6a40ff7258dafb4b02b34d829

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 546b130afd1e1ddd4d8637fc28202ee8
SHA1 8d78a000b288a4f901422cc69d0dbb726b145d50
SHA256 eea571d1f24c51a110e7ec5033b6499f401a7e0f5ab54256d85ef6898637e87b
SHA512 dc07b4015d8be20b0b037f907805ec854c35fbbe08fc49fc66e5a0792f27dc4ca759ab95dc034b4b295ffeef58c544adb6affaad57d8b1ab751a80b34db76367

C:\Users\Admin\AppData\Local\Temp\1000529001\Robo_Ocr.exe

MD5 bb727510520450aba9c69ca705d32478
SHA1 6afbe257743dd937038ac6a02373d5267a2c9303
SHA256 613c201d652b0e029880034ebb8f14fd3bc11289c0bfcc3e4b29b29f9ce023c6
SHA512 8fe6752f057b4b7f6e1ee8aaf8994119e8cedb9b425b8eecd28b6e277e53cca21a337123c86239cf43e6e3edcaab0bf489f73314462aeccad8f51f4af0f96560

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d0d0bdd7efa1ac78ef40a3ea6dbfc96b
SHA1 61a1f4d6e733078b8bfa882695af129d9272a0e6
SHA256 d3f0ce7e9cb561a50f9cec3d534ff2c46ebbeaa6b1f391c25267a7adef8be30a
SHA512 83d5b8e3afbbae4c2f6ae882ccf45df92c1940895762cc9fb694673441dbd8739d838d924d8b4af5d7dcd5c06252be95253bff46c775bb4e88d820e052cbfd25

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 c9d993a265dace369c7b4791a4eee13b
SHA1 a193fb30790b0fcb7bbaf9a64abd1776b525a910
SHA256 a8d37852e69c987b20fe4eb4ead8fd4e7a0dacd3450e5f5aab3a60f5008bf5b0
SHA512 f0a9f569c221609e7a7905f0458ddecd48fd1c8c93c68b94c7837736094f0ce9303deb14dd6a8d5ea0ae559adf239b1d9a98dfb979d3a63d23874f766b5c49b8

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mpkmrmmh.3jj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e351b95574b5cd6ffe57628e7c232788
SHA1 02b2ac393d9717e1e6bed83d4706447bd52ebc13
SHA256 00e8a1f770119de7e76599af666d632013c849e037bdc71a67bddf8caedfd79a
SHA512 60917fec493055b821c8a18c386eb74ba3106b4aeda6d23fc2f208deae423167951dc5249175ecbd7321b4d4b1e529adaba76029d35ac00d87252bd4ca52bdcd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5786356b9513ed1956e8202c219a72db
SHA1 acc4ce4534713a4b159a2459526aae62b656f340
SHA256 2991d59875aa341770067b29f195899e2a09214635dbde0ea232b10ff72259c5
SHA512 f4025991650fd8946a0eaa353e50ad6065b75391780f668ee42dc22fbc02307968cf2f5d9af4ed03ed243eda1d52070a9d1e16f16bdc7a0841d934e866b7ae33

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d555d038867542dfb2fb0575a0d3174e
SHA1 1a5868d6df0b5de26cf3fc7310b628ce0a3726f0
SHA256 044cac379dddf0c21b8e7ee4079d21c67e28795d14e678dbf3e35900f25a1e2e
SHA512 d8220966fe6c3ae4499bc95ab3aead087a3dd915853320648849d2fc123a4acd157b7dba64af0108802522575a822651ecc005523c731423d9131ee679c2712f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1940126f248ff09af29cae2656674e55
SHA1 3690d20b783d21a2c38a4132b4c1bac7d454515a
SHA256 f302dd7b7ee21d6d428aa26d8fa9324504f8d62bf7cc9bf82e00b68e4c1a2a3d
SHA512 2c4efb1724cf7488ed001bd0e04ac6c871cf067858a827f705f593cfb5089540f98d33b58e79633161605c4876979494a2f58f03869277102e2e0cc70615c696

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4eda7d289b0238ffbc2af5c6ada535dc
SHA1 5a7cfdc1373a1f72c016e090200349e835d4ed2f
SHA256 307363f5978a788ef72d04b2e5ab914ebabd9deb8d6a458003474ff694307eff
SHA512 f822456e3b616ca12183ddd8323b3c0f1740927564e185ebe11310f73123aec63ef3058ecf290ae26f86e2ea0a03aab25f52a162d6f9394d46598ef671196aa0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bb3b0a8fccfd796c3beb8ba566556295
SHA1 18d27b3f7b7b7846c6aded2014acbacb9d253a57
SHA256 cd2e3ca674c99f44372e6d39d0866a5d432a5a2dfb422f63b9f33e4a6d77842a
SHA512 21e113234c34d3103a3b65143196068b2422b488c71d74fa5f4180763ac5ae81c5e353cad314932d92ecd9cc19e85538c9787829ea5b8c8cb43baa0a0fe39c2b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

MD5 e88dc4f7ebee3966fcefeadc6ba6dc46
SHA1 067971ef5c2a9b8d39241007f0aa89f2a86f80c1
SHA256 5309c1172cf3771092875881f46bf6023cd18c2eaaa8098ffa7f6ef3c4f2d8e5
SHA512 b76c8c5edafb2ee316ba8da434e77e66a56c99bdc29a55ff842f540325e54be211581c3797af2b6ede929c87f89f3bd69ae3c1ea17ab5de2389ef96c0e9bba20

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

MD5 70b2a60a8cdb839f9038785dc548079a
SHA1 b4e9f530d5e349b5890fec7470bba813cfc96796
SHA256 526163ff6240f5d0db345c3089c777c14526da639a19b3787294aab40ba8f6f3
SHA512 d6fc065f91d29e946c4a32bb7cf25a1bb93a8f4a392315ff3ed3a9bc9344a4fa386220baceaf2a9ad3f808eb5e5436f3370b998ed243c1685ca49ae6d46ed724

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 700ccab490f0153b910b5b6759c0ea82
SHA1 17b5b0178abcd7c2f13700e8d74c2a8c8a95792a
SHA256 9aa923557c6792b15d8a80dd842f344c0a18076d7853dd59d6fd5d51435c7876
SHA512 0fec3d9549c117a0cb619cc4b13c1c69010cafceefcca891b33f4718c8d28395e8ab46cc308fbc57268d293921b07fabaf4903239091cee04243890f2010447f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

MD5 e51f388b62281af5b4a9193cce419941
SHA1 364f3d737462b7fd063107fe2c580fdb9781a45a
SHA256 348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c
SHA512 1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

MD5 522037f008e03c9448ae0aaaf09e93cb
SHA1 8a32997eab79246beed5a37db0c92fbfb006bef2
SHA256 983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7
SHA512 643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

MD5 b7070382a6dd85e70a640fd274ca4c31
SHA1 5a2faa7c6f713b9bdc80923a528f6053759cb795
SHA256 148df903feb5cc9767d9f82999bb79f204281d6e25dd45a5ed9f406eed0efa57
SHA512 f8744dd476903853af016ac94fceac3a9e11be2b15be6a1a98dc05073e11eba3bc1faf582af2d10b6d086488594238bb4db101eab8e46dc4bc23f94d3bcedd2a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

MD5 34504ed4414852e907ecc19528c2a9f0
SHA1 0694ca8841b146adcaf21c84dedc1b14e0a70646
SHA256 c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810
SHA512 173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

MD5 240c4cc15d9fd65405bb642ab81be615
SHA1 5a66783fe5dd932082f40811ae0769526874bfd3
SHA256 030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07
SHA512 267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

MD5 7e2a819601bdb18df91d434ca4d95976
SHA1 94c8d876f9e835b82211d1851314c43987290654
SHA256 7da655bf7ac66562215c863212e7225e1d3485e47e4c2d3c09faac7f78999db1
SHA512 1ca1d95cc91cb06a22b8d30a970c254e334db7ff6bad255333bac2adc83c98735ec9c43bccf9c46514664d449a43d2586d38a45970338655244e754d2a87a83e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

MD5 9dde60482197e9ed51b9ade08935c578
SHA1 078ac9e47f455b2e1a624281e00616b0efd85204
SHA256 db4f3622f69e0c1ae867d6fc0d0ef1256b515a93ede033006e0ad0f03f3eb24e
SHA512 1dedf96fcc75d0af21590e7d13b2b44293af4e6d4e1080adb022e32799074c612b058d777e94a35bf552b73a518c1bceb6f0b4fa4d1387cf29e7ce7655182316

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 61f5a4fddab56d7e3440290359c9d659
SHA1 2dde34b0eb67816aa05c12d2686642f1c3c16961
SHA256 6ac83fb5fb511f9d0908ab071e29a1f9b4cfe162ae4e647ddfca37b9eeaf4eeb
SHA512 dceb350b7fd33a9b2c09b820dec5839b32faeb3f21d03912e62d33c24ae9c2fae79a9b99bf16d93570a56c12f2a9c039d98a2c2e85db7d7d524e449ff2e92a17

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593f51.TMP

MD5 d8a959234df9d302546a5c5c828e30c5
SHA1 58fbee62be884607bc4879010bcc63267b8b9a3f
SHA256 42581293d3ff04109c6a09627df28a08b2a728972fe07aca41ac30e768259fad
SHA512 1713574fab15819d78e051d9056909990152e1e5db9be801917fe89f60ddf201b240b42b29981dc1bb00b8aa98376d76744897ecae31e3ca72330a04ad37f0e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9d54967b88f1d5b8b2dd4500106db31e
SHA1 df87dee175c023afd8a0420be80edb178214f5fb
SHA256 f68b005130d4f0418783f29e6ec815f0a284aec12f0948c64815feb862624223
SHA512 57d481e3501651fc6ae7f121bef341bb694a9ea2e15144e6ffae23827c32b9734a8cb7ccd1daa854389edbc83a3ded0359ba5223e6b551f30485a8adef06ec4b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f28470ada21372985d06416c979fe3dd
SHA1 bdc8f2bdbf8429fc996c788f594dc0e7bcf3988f
SHA256 02a16b95bcf0af3f4a978e6a2ba33bf58406f91d3d1f11a41d49bf045f2c431a
SHA512 8b76dade4e387cb1ee665dd06cfc848604b08aa12c96c62711da61883de041c5081c112cdb6f412cb6693e9086c132065e382880b95fd7541933077f49a87cb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 c7191df12e187d97c61c76a58e6e1e1e
SHA1 fb0cde8d01841e2a58150e8b2952b4e1be5f0186
SHA256 c239452545e60d8753c48eb17551f5f7d9cee91363fd9cf60fef318ce03ca91e
SHA512 9c41aa8358ee3e6b3d3b8cd411b893b24a81d51ccdcf5c39383388a33e2b37cbf9d0bf5f2294afd4760ab8ba71dae3846b91be538d90f372ecd39997a058ba28

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe596efc.TMP

MD5 658bf168f030c90e1f476c3aa28900da
SHA1 ded0394e1b98127f94b3b8448d233e57f2d78da1
SHA256 4087cfa3c4f5e15a3b2982a3fad93035e8e8b04b946e258fd6f66c3d58de10b9
SHA512 257e80fc4a43bb5c6196cdbc7c1e28c4b920fc9287b77577d882c7a2a6e825b2b01e78f1372f1595a68222956f184cab72bb127f83766af116b049004fe3c5ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 7cf06aa97fed5e7d9796e3fd2adec4a5
SHA1 16a522726578dc031fb122e0b05f5c757caf75cf
SHA256 1206f444c78936641edd59dad1f5c367911d2a6a7699c54ab6858a9543dda903
SHA512 a1bb1c5630c5ac148caf875bcb5ec02544f60855b177ff9c72d75f30f153402b607c75db54d64230c9e12ce3380285277df17d8573fdea5b428b7e89c7bcff04

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bcb825857e69750228f87d42bf1828fc
SHA1 432c03f541e2c48f98b96a64b32ec3cd2d717d81
SHA256 ac3f38433df6c6d02ae7a697ba00eb75bfee98d4f11b551ee8c7a6cfc3897761
SHA512 04a5aa1e69180bd6036be2878e59c56b8ba682e017c7e3875476582b5030b14e27526a22ce287d7a817dacf0189d2ea2ee1ecb1c09931c6bf5ac564880f1acea