Malware Analysis Report

2025-06-16 01:31

Sample ID 231031-d3p3zsad42
Target f991c9b58f3db479db70d092e89375e5.bin
SHA256 7da3adf0efc350a6d066de2b867d533fea2a1eab3f434fccd3e13ab48a460b68
Tags
amadey dcrat glupteba raccoon redline sectoprat smokeloader xmrig zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza pixelnew up3 backdoor paypal collection discovery dropper evasion infostealer loader miner persistence phishing rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7da3adf0efc350a6d066de2b867d533fea2a1eab3f434fccd3e13ab48a460b68

Threat Level: Known bad

The file f991c9b58f3db479db70d092e89375e5.bin was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba raccoon redline sectoprat smokeloader xmrig zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza pixelnew up3 backdoor paypal collection discovery dropper evasion infostealer loader miner persistence phishing rat spyware stealer trojan upx

Glupteba payload

Detect ZGRat V1

Suspicious use of NtCreateUserProcessOtherParentProcess

Glupteba

DcRat

RedLine payload

RedLine

SectopRAT

SmokeLoader

SectopRAT payload

Modifies Windows Defender Real-time Protection settings

Amadey

Raccoon

ZGRat

Raccoon Stealer payload

xmrig

XMRig Miner payload

Drops file in Drivers directory

Stops running service(s)

Modifies Windows Firewall

Downloads MZ/PE file

UPX packed file

Loads dropped DLL

Windows security modification

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook profiles

Checks installed software on the system

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

Detected potential entity reuse from brand paypal.

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

outlook_office_path

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Modifies data under HKEY_USERS

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-31 03:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-31 03:32

Reported

2023-10-31 03:34

Platform

win10v2004-20231020-en

Max time kernel

89s

Max time network

156s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\471e2e46c4ee5dc28001efd8f9d8a4bddbb59dcfec77bf5d4ac493f631651615.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\1FBC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\1FBC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1FBC.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\1FBC.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\1FBC.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5dr9zm9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4F6A.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7EAC.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bs1Nd20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LU6dw80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mt6aT19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UZ3JI22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cM1ZG35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yF68FL7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2OF2267.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3xn79as.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4pK530lL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5dr9zm9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6MF7iO4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Fz9AT32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1B82.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1C1F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hK1FU6RE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MT2wE8kW.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1E25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ih2Pf8XZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Av10fD7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1FBC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21A1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\24FE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2dU814HH.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4F6A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\520B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DGFH2.tmp\LzmwAqmV.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6D35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe N/A
N/A N/A C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\77B6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7EAC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8034.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\1FBC.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\7EAC.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\7EAC.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\7EAC.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\7EAC.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\7EAC.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ih2Pf8XZ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mt6aT19.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bs1Nd20.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LU6dw80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UZ3JI22.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MT2wE8kW.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\471e2e46c4ee5dc28001efd8f9d8a4bddbb59dcfec77bf5d4ac493f631651615.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hK1FU6RE.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\520B.exe'\"" C:\Users\Admin\AppData\Local\Temp\520B.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1B82.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vv7qj8ed.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cM1ZG35.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Detected potential entity reuse from brand paypal.

phishing paypal

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\KAudioConverter\is-RVCI2.tmp C:\Users\Admin\AppData\Local\Temp\is-DGFH2.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-7IUUA.tmp C:\Users\Admin\AppData\Local\Temp\is-DGFH2.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File opened for modification C:\Program Files (x86)\KAudioConverter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-DGFH2.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-PEK5Q.tmp C:\Users\Admin\AppData\Local\Temp\is-DGFH2.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-9VAJP.tmp C:\Users\Admin\AppData\Local\Temp\is-DGFH2.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-VJEFK.tmp C:\Users\Admin\AppData\Local\Temp\is-DGFH2.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-LO3M1.tmp C:\Users\Admin\AppData\Local\Temp\is-DGFH2.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\XML\Styles\is-DR5GV.tmp C:\Users\Admin\AppData\Local\Temp\is-DGFH2.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-B7I74.tmp C:\Users\Admin\AppData\Local\Temp\is-DGFH2.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-T7Q43.tmp C:\Users\Admin\AppData\Local\Temp\is-DGFH2.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-2FBAH.tmp C:\Users\Admin\AppData\Local\Temp\is-DGFH2.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-VIIHS.tmp C:\Users\Admin\AppData\Local\Temp\is-DGFH2.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\XML\Styles\is-9V5SH.tmp C:\Users\Admin\AppData\Local\Temp\is-DGFH2.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\XML\Styles\is-OGCTJ.tmp C:\Users\Admin\AppData\Local\Temp\is-DGFH2.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe C:\Users\Admin\AppData\Local\Temp\is-DGFH2.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-DGFH2.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-PIEUC.tmp C:\Users\Admin\AppData\Local\Temp\is-DGFH2.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-ST3UN.tmp C:\Users\Admin\AppData\Local\Temp\is-DGFH2.tmp\LzmwAqmV.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3xn79as.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3xn79as.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3xn79as.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3xn79as.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3xn79as.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3xn79as.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1FBC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DGFH2.tmp\LzmwAqmV.tmp N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1656 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\471e2e46c4ee5dc28001efd8f9d8a4bddbb59dcfec77bf5d4ac493f631651615.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bs1Nd20.exe
PID 1656 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\471e2e46c4ee5dc28001efd8f9d8a4bddbb59dcfec77bf5d4ac493f631651615.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bs1Nd20.exe
PID 1656 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\471e2e46c4ee5dc28001efd8f9d8a4bddbb59dcfec77bf5d4ac493f631651615.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bs1Nd20.exe
PID 5056 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bs1Nd20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LU6dw80.exe
PID 5056 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bs1Nd20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LU6dw80.exe
PID 5056 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bs1Nd20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LU6dw80.exe
PID 2184 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LU6dw80.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mt6aT19.exe
PID 2184 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LU6dw80.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mt6aT19.exe
PID 2184 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LU6dw80.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mt6aT19.exe
PID 4024 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mt6aT19.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UZ3JI22.exe
PID 4024 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mt6aT19.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UZ3JI22.exe
PID 4024 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mt6aT19.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UZ3JI22.exe
PID 3416 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UZ3JI22.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cM1ZG35.exe
PID 3416 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UZ3JI22.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cM1ZG35.exe
PID 3416 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UZ3JI22.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cM1ZG35.exe
PID 3336 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cM1ZG35.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yF68FL7.exe
PID 3336 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cM1ZG35.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yF68FL7.exe
PID 3336 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cM1ZG35.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yF68FL7.exe
PID 4896 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yF68FL7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4896 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yF68FL7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4896 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yF68FL7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4896 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yF68FL7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4896 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yF68FL7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4896 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yF68FL7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4896 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yF68FL7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4896 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yF68FL7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3336 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cM1ZG35.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2OF2267.exe
PID 3336 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cM1ZG35.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2OF2267.exe
PID 3336 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cM1ZG35.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2OF2267.exe
PID 4460 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2OF2267.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4460 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2OF2267.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4460 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2OF2267.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4460 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2OF2267.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4460 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2OF2267.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4460 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2OF2267.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4460 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2OF2267.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4460 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2OF2267.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4460 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2OF2267.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4460 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2OF2267.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3416 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UZ3JI22.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3xn79as.exe
PID 3416 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UZ3JI22.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3xn79as.exe
PID 3416 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UZ3JI22.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3xn79as.exe
PID 4024 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mt6aT19.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4pK530lL.exe
PID 4024 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mt6aT19.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4pK530lL.exe
PID 4024 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mt6aT19.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4pK530lL.exe
PID 4392 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4pK530lL.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4392 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4pK530lL.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4392 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4pK530lL.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4392 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4pK530lL.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4392 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4pK530lL.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4392 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4pK530lL.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4392 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4pK530lL.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4392 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4pK530lL.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2184 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LU6dw80.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5dr9zm9.exe
PID 2184 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LU6dw80.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5dr9zm9.exe
PID 2184 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LU6dw80.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5dr9zm9.exe
PID 2776 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5dr9zm9.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2776 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5dr9zm9.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2776 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5dr9zm9.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 5056 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bs1Nd20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6MF7iO4.exe
PID 5056 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bs1Nd20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6MF7iO4.exe
PID 5056 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bs1Nd20.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6MF7iO4.exe
PID 3868 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3868 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\7EAC.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\7EAC.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\471e2e46c4ee5dc28001efd8f9d8a4bddbb59dcfec77bf5d4ac493f631651615.exe

"C:\Users\Admin\AppData\Local\Temp\471e2e46c4ee5dc28001efd8f9d8a4bddbb59dcfec77bf5d4ac493f631651615.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bs1Nd20.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bs1Nd20.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LU6dw80.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LU6dw80.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mt6aT19.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mt6aT19.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UZ3JI22.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UZ3JI22.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cM1ZG35.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cM1ZG35.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yF68FL7.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yF68FL7.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2OF2267.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2OF2267.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3xn79as.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3xn79as.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2580 -ip 2580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4pK530lL.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4pK530lL.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5dr9zm9.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5dr9zm9.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6MF7iO4.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6MF7iO4.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Fz9AT32.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Fz9AT32.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D419.tmp\D41A.tmp\D41B.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Fz9AT32.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffbab9046f8,0x7ffbab904708,0x7ffbab904718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffbab9046f8,0x7ffbab904708,0x7ffbab904718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbab9046f8,0x7ffbab904708,0x7ffbab904718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x80,0x16c,0x7ffbab9046f8,0x7ffbab904708,0x7ffbab904718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbab9046f8,0x7ffbab904708,0x7ffbab904718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,4565577351781989613,1819365410726640043,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,4565577351781989613,1819365410726640043,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2968 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,7339253068157116960,4046327517916034932,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,10936251547679489584,13859393304408295894,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbab9046f8,0x7ffbab904708,0x7ffbab904718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1520,3312235025069466585,9902879602337279753,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbab9046f8,0x7ffbab904708,0x7ffbab904718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x13c,0x168,0x140,0x16c,0x7ffbab9046f8,0x7ffbab904708,0x7ffbab904718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbab9046f8,0x7ffbab904708,0x7ffbab904718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffbab9046f8,0x7ffbab904708,0x7ffbab904718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7376 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7904 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7904 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8124 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8160 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\1B82.exe

C:\Users\Admin\AppData\Local\Temp\1B82.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hK1FU6RE.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hK1FU6RE.exe

C:\Users\Admin\AppData\Local\Temp\1C1F.exe

C:\Users\Admin\AppData\Local\Temp\1C1F.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MT2wE8kW.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\MT2wE8kW.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1D2A.bat" "

C:\Users\Admin\AppData\Local\Temp\1E25.exe

C:\Users\Admin\AppData\Local\Temp\1E25.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vv7qj8ed.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vv7qj8ed.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ih2Pf8XZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ih2Pf8XZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Av10fD7.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1Av10fD7.exe

C:\Users\Admin\AppData\Local\Temp\1FBC.exe

C:\Users\Admin\AppData\Local\Temp\1FBC.exe

C:\Users\Admin\AppData\Local\Temp\21A1.exe

C:\Users\Admin\AppData\Local\Temp\21A1.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbab9046f8,0x7ffbab904708,0x7ffbab904718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8544 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8572 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\24FE.exe

C:\Users\Admin\AppData\Local\Temp\24FE.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2dU814HH.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2dU814HH.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6576 -ip 6576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6576 -s 540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbab9046f8,0x7ffbab904708,0x7ffbab904718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 7084 -ip 7084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7588 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7084 -s 768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbab9046f8,0x7ffbab904708,0x7ffbab904718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7860 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbab9046f8,0x7ffbab904708,0x7ffbab904718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8240 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbab9046f8,0x7ffbab904708,0x7ffbab904718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbab9046f8,0x7ffbab904708,0x7ffbab904718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbab9046f8,0x7ffbab904708,0x7ffbab904718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbab9046f8,0x7ffbab904708,0x7ffbab904718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9332 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=9080 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8924 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f0 0x2fc

C:\Users\Admin\AppData\Local\Temp\4F6A.exe

C:\Users\Admin\AppData\Local\Temp\4F6A.exe

C:\Users\Admin\AppData\Local\Temp\520B.exe

C:\Users\Admin\AppData\Local\Temp\520B.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\is-DGFH2.tmp\LzmwAqmV.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DGFH2.tmp\LzmwAqmV.tmp" /SL5="$110054,3039358,68096,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\6D35.exe

C:\Users\Admin\AppData\Local\Temp\6D35.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe

"C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe" -i

C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe

"C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe" -s

C:\Users\Admin\AppData\Local\Temp\77B6.exe

C:\Users\Admin\AppData\Local\Temp\77B6.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "HAC1030-3"

C:\Users\Admin\AppData\Local\Temp\7EAC.exe

C:\Users\Admin\AppData\Local\Temp\7EAC.exe

C:\Users\Admin\AppData\Local\Temp\8034.exe

C:\Users\Admin\AppData\Local\Temp\8034.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4960 -ip 4960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 608

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,3760954844720818033,17649447281587087067,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=11128 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 store.steampowered.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 104.85.0.101:443 store.steampowered.com tcp
US 8.8.8.8:53 twitter.com udp
US 104.244.42.1:443 twitter.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 101.0.85.104.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 1.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 113.106.207.23.in-addr.arpa udp
US 8.8.8.8:53 www.epicgames.com udp
US 54.84.169.57:443 www.epicgames.com tcp
US 8.8.8.8:53 www.paypal.com udp
US 151.101.1.21:443 www.paypal.com tcp
US 8.8.8.8:53 57.169.84.54.in-addr.arpa udp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 130.47.239.18.in-addr.arpa udp
US 8.8.8.8:53 i.ytimg.com udp
NL 216.58.214.22:443 i.ytimg.com tcp
US 8.8.8.8:53 22.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 100.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 153.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 abs.twimg.com udp
US 8.8.8.8:53 api.twitter.com udp
US 8.8.8.8:53 pbs.twimg.com udp
US 104.244.42.130:443 api.twitter.com tcp
US 8.8.8.8:53 video.twimg.com udp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 192.229.233.50:443 pbs.twimg.com tcp
US 8.8.8.8:53 t.co udp
US 192.229.220.133:443 video.twimg.com tcp
US 104.244.42.5:443 t.co tcp
US 8.8.8.8:53 static.ads-twitter.com udp
NL 199.232.148.157:443 static.ads-twitter.com tcp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
US 8.8.8.8:53 tracking.epicgames.com udp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
NL 23.72.252.176:443 store.akamai.steamstatic.com tcp
NL 23.72.252.176:443 store.akamai.steamstatic.com tcp
NL 23.72.252.176:443 store.akamai.steamstatic.com tcp
US 54.82.162.139:443 tracking.epicgames.com tcp
US 18.239.36.105:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 130.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 141.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 50.233.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.220.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.148.232.199.in-addr.arpa udp
US 18.239.36.105:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 5.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 www.paypalobjects.com udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 facebook.com udp
IE 163.70.151.35:443 facebook.com tcp
US 8.8.8.8:53 176.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 105.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 139.162.82.54.in-addr.arpa udp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.151.35:443 fbcdn.net tcp
US 8.8.8.8:53 www.recaptcha.net udp
US 8.8.8.8:53 fbsbx.com udp
NL 172.217.168.227:443 www.recaptcha.net tcp
NL 172.217.168.227:443 www.recaptcha.net udp
US 8.8.8.8:53 227.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 zn1ynnliufrct75cb-paypalxm.siteintercept.qualtrics.com udp
US 104.17.209.240:443 zn1ynnliufrct75cb-paypalxm.siteintercept.qualtrics.com tcp
US 8.8.8.8:53 240.209.17.104.in-addr.arpa udp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.1.35:443 t.paypal.com tcp
US 8.8.8.8:53 35.1.101.151.in-addr.arpa udp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 play.google.com udp
NL 23.72.252.176:443 store.akamai.steamstatic.com tcp
NL 23.72.252.176:443 store.akamai.steamstatic.com tcp
NL 23.72.252.176:443 store.akamai.steamstatic.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 login.steampowered.com udp
JP 23.207.106.113:443 login.steampowered.com tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
RU 193.233.255.73:80 193.233.255.73 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
NL 194.169.175.118:80 194.169.175.118 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 118.175.169.194.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
NL 104.85.0.101:443 store.steampowered.com tcp
US 8.8.8.8:53 analytics.twitter.com udp
US 104.244.42.67:443 analytics.twitter.com tcp
JP 23.207.106.113:443 login.steampowered.com tcp
US 8.8.8.8:53 67.42.244.104.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
NL 216.58.214.22:443 i.ytimg.com udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.250.179.162:443 googleads.g.doubleclick.net tcp
NL 142.250.179.162:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 rr2---sn-q4flrnss.googlevideo.com udp
US 173.194.57.103:443 rr2---sn-q4flrnss.googlevideo.com tcp
US 173.194.57.103:443 rr2---sn-q4flrnss.googlevideo.com tcp
US 8.8.8.8:53 162.179.250.142.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 103.57.194.173.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 rr2---sn-q4flrnss.googlevideo.com udp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
US 173.194.57.103:443 rr2---sn-q4flrnss.googlevideo.com tcp
US 173.194.57.103:443 rr2---sn-q4flrnss.googlevideo.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 173.194.57.103:443 rr2---sn-q4flrnss.googlevideo.com tcp
US 8.8.8.8:53 yt3.ggpht.com udp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
US 173.194.57.103:443 rr2---sn-q4flrnss.googlevideo.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 stim.graspalace.com udp
US 188.114.97.0:80 stim.graspalace.com tcp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
DE 172.217.23.202:443 jnn-pa.googleapis.com tcp
US 8.8.8.8:53 static.doubleclick.net udp
DE 172.217.23.202:443 jnn-pa.googleapis.com udp
NL 142.251.36.6:443 static.doubleclick.net tcp
US 8.8.8.8:53 202.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 6.36.251.142.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
NL 142.250.179.142:443 youtube.com tcp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 149.40.62.171:15666 tcp
US 8.8.8.8:53 171.62.40.149.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
IT 185.196.9.171:80 185.196.9.171 tcp
US 64.185.227.156:443 api.ipify.org tcp
NL 194.169.175.235:42691 tcp
US 8.8.8.8:53 171.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 235.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 156.227.185.64.in-addr.arpa udp
US 194.49.94.11:80 194.49.94.11 tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 11.94.49.194.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 api.steampowered.com udp
JP 23.207.106.113:443 api.steampowered.com tcp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 18.239.36.103:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 www.paypalobjects.com udp
US 8.8.8.8:53 103.36.239.18.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 www.recaptcha.net udp
NL 172.217.168.227:443 www.recaptcha.net udp
NL 172.217.168.227:443 www.recaptcha.net tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 172.75.67.172.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 rr3---sn-4g5lznle.googlevideo.com udp
DE 74.125.163.200:443 rr3---sn-4g5lznle.googlevideo.com tcp
DE 74.125.163.200:443 rr3---sn-4g5lznle.googlevideo.com tcp
US 8.8.8.8:53 200.163.125.74.in-addr.arpa udp
DE 74.125.163.200:443 rr3---sn-4g5lznle.googlevideo.com udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 api.twitter.com udp
US 104.244.42.130:443 api.twitter.com tcp
US 104.244.42.130:443 api.twitter.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 play.google.com udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 828092c3-d4fc-45f0-87f5-c26e49d3d7f9.uuid.statsexplorer.org udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.28:80 host-host-file8.com tcp
US 8.8.8.8:53 28.26.214.95.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 www.paypalobjects.com udp
US 8.8.8.8:53 www.recaptcha.net udp
US 8.8.8.8:53 talon-website-prod.ecosec.on.epicgames.com udp
US 172.64.146.120:443 talon-website-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 120.146.64.172.in-addr.arpa udp
US 8.8.8.8:53 server6.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun3.l.google.com udp
BG 185.82.216.108:443 server6.statsexplorer.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
SG 74.125.24.127:19302 stun3.l.google.com udp
US 8.8.8.8:53 127.24.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 talon-service-prod.ecosec.on.epicgames.com udp
US 172.64.146.120:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 172.64.146.120:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 js.hcaptcha.com udp
US 104.19.218.90:443 js.hcaptcha.com tcp
US 8.8.8.8:53 90.218.19.104.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.250.179.162:443 googleads.g.doubleclick.net udp
FI 77.91.124.86:19084 tcp
BG 185.82.216.108:443 server6.statsexplorer.org tcp
US 8.8.8.8:53 rr4---sn-hgn7rn7y.googlevideo.com udp
FR 172.217.133.9:443 rr4---sn-hgn7rn7y.googlevideo.com udp
US 8.8.8.8:53 9.133.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.epicgames.com udp
US 8.8.8.8:53 newassets.hcaptcha.com udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 hcaptcha.com udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 51.15.193.130:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 130.193.15.51.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
NL 51.15.58.224:14433 xmr-eu1.nanopool.org tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 224.58.15.51.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 i.ytimg.com udp
NL 216.58.214.22:443 i.ytimg.com udp
US 8.8.8.8:53 rr3---sn-4g5lznle.googlevideo.com udp
DE 74.125.163.200:443 rr3---sn-4g5lznle.googlevideo.com udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bs1Nd20.exe

MD5 0b711c053bbdeb5a68701f3952800ad1
SHA1 3cb0a710312ecf1ac6fc03c1cd6e71b32d14cb75
SHA256 ae5e75374d9b60865dd36fce466694e1f3a16ef5ee19def2d9b4620870a92f33
SHA512 90b1ad184f858f9af1bd715e43c3f4dca9302941c2f11ee072992ca4627c2bce70b60d9cb1a686e317087e952f222d243b34bad429181e3508b9c80ae4128c49

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bs1Nd20.exe

MD5 0b711c053bbdeb5a68701f3952800ad1
SHA1 3cb0a710312ecf1ac6fc03c1cd6e71b32d14cb75
SHA256 ae5e75374d9b60865dd36fce466694e1f3a16ef5ee19def2d9b4620870a92f33
SHA512 90b1ad184f858f9af1bd715e43c3f4dca9302941c2f11ee072992ca4627c2bce70b60d9cb1a686e317087e952f222d243b34bad429181e3508b9c80ae4128c49

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LU6dw80.exe

MD5 3bbc769b83a305a061bf474f1ba3c465
SHA1 fa201bf20fecfdeff5f57a48dec8bcf9bc430d4f
SHA256 2e3f47d819a1145a348492e033b214c6c83a5a0868ebf8a85fbce1e48f6c34c4
SHA512 5ccce6270b7042c22e83b02ef63290b0462b84159bf4a7413e127775671370c17acd778c0c7b80bec23923f38ee519f448692868cecb710e1f7797a1ff0d049d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LU6dw80.exe

MD5 3bbc769b83a305a061bf474f1ba3c465
SHA1 fa201bf20fecfdeff5f57a48dec8bcf9bc430d4f
SHA256 2e3f47d819a1145a348492e033b214c6c83a5a0868ebf8a85fbce1e48f6c34c4
SHA512 5ccce6270b7042c22e83b02ef63290b0462b84159bf4a7413e127775671370c17acd778c0c7b80bec23923f38ee519f448692868cecb710e1f7797a1ff0d049d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mt6aT19.exe

MD5 aa621c0f9864ab48116eb3dafecc8dd2
SHA1 730826c01402d5906f9d6b4ab63d59530354f4a3
SHA256 6db2e84b4d5dff9906b8cc4c66ace26ca907b3226988dd196887707a184a6e19
SHA512 44670319f433d62938908d7a28433da8d024047557a76f94102a6276fb327ee60399813048b8aa32c65caaccfb94b83012ede40af1cbf847bd3ab5cba6fa7508

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\mt6aT19.exe

MD5 aa621c0f9864ab48116eb3dafecc8dd2
SHA1 730826c01402d5906f9d6b4ab63d59530354f4a3
SHA256 6db2e84b4d5dff9906b8cc4c66ace26ca907b3226988dd196887707a184a6e19
SHA512 44670319f433d62938908d7a28433da8d024047557a76f94102a6276fb327ee60399813048b8aa32c65caaccfb94b83012ede40af1cbf847bd3ab5cba6fa7508

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UZ3JI22.exe

MD5 e26950b6e6169ded481ced582452c123
SHA1 0a8a76ec000fff2d56ffaa81801bd76d82a4289d
SHA256 8489d4bee0b2ec4651b132f7cc4da63173a50b6954ec6c6364525fddfa94a352
SHA512 3b75269125f47b064f005ae063b9ab87908cc24d8789e65872dfca1b13699bb5100a41fc9256142b45ce0f79a46f208e8d198d3dea27f0f9213f41d49600c03b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\UZ3JI22.exe

MD5 e26950b6e6169ded481ced582452c123
SHA1 0a8a76ec000fff2d56ffaa81801bd76d82a4289d
SHA256 8489d4bee0b2ec4651b132f7cc4da63173a50b6954ec6c6364525fddfa94a352
SHA512 3b75269125f47b064f005ae063b9ab87908cc24d8789e65872dfca1b13699bb5100a41fc9256142b45ce0f79a46f208e8d198d3dea27f0f9213f41d49600c03b

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cM1ZG35.exe

MD5 ed2c9a13c62791a0f4e51f6553973584
SHA1 37535edb8e55728c2b70d988b729d2de11beed34
SHA256 9fdf08a0a849f0d4da16c586944c521d75d572bae873e32d4a364ccb9bfee042
SHA512 4b59b174e3b4c8b2dcee7b1b098a7db88ff9302b05573de0d313892015520b98a362da300e9a399dfe5c867e261c7952b3c56f7975e79aaa221e435421a56fde

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cM1ZG35.exe

MD5 ed2c9a13c62791a0f4e51f6553973584
SHA1 37535edb8e55728c2b70d988b729d2de11beed34
SHA256 9fdf08a0a849f0d4da16c586944c521d75d572bae873e32d4a364ccb9bfee042
SHA512 4b59b174e3b4c8b2dcee7b1b098a7db88ff9302b05573de0d313892015520b98a362da300e9a399dfe5c867e261c7952b3c56f7975e79aaa221e435421a56fde

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yF68FL7.exe

MD5 17dac7fefa63c4b2a9f2cfe92cf1aca4
SHA1 bdad26795f2772ef2ff334ca884cfd0d281cd2fd
SHA256 b76fb4e7a63b6a4609d72718539395a7689b396c461267c5700799c2a280dc08
SHA512 f4aace91a7408b84c794082c2e9425d768dcdeb227a1d90227303d509032927f389da8422fbc270877fac028686b9831bf3e7ad8972ed915170c629412b3c9dc

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yF68FL7.exe

MD5 17dac7fefa63c4b2a9f2cfe92cf1aca4
SHA1 bdad26795f2772ef2ff334ca884cfd0d281cd2fd
SHA256 b76fb4e7a63b6a4609d72718539395a7689b396c461267c5700799c2a280dc08
SHA512 f4aace91a7408b84c794082c2e9425d768dcdeb227a1d90227303d509032927f389da8422fbc270877fac028686b9831bf3e7ad8972ed915170c629412b3c9dc

memory/3168-42-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2OF2267.exe

MD5 5c493205a5cb2ce5346a9c208e98d464
SHA1 dabfd8e4de8a10aa32b01945fa45e2014c9bb36c
SHA256 ca48ad779f9a25fe1b4ccb7786a1780f1852c34f88d0c96961aef3c08a6427da
SHA512 c84f75ae6297da70f029446432f83769ea2a7f5666d81dd19d7e048fd8cf6710a1686c9d3fc4b0bada17fa6313612bec52636c790ddafb8bc8201d2aacd05cff

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2OF2267.exe

MD5 5c493205a5cb2ce5346a9c208e98d464
SHA1 dabfd8e4de8a10aa32b01945fa45e2014c9bb36c
SHA256 ca48ad779f9a25fe1b4ccb7786a1780f1852c34f88d0c96961aef3c08a6427da
SHA512 c84f75ae6297da70f029446432f83769ea2a7f5666d81dd19d7e048fd8cf6710a1686c9d3fc4b0bada17fa6313612bec52636c790ddafb8bc8201d2aacd05cff

memory/3168-46-0x0000000073DD0000-0x0000000074580000-memory.dmp

memory/2580-47-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3xn79as.exe

MD5 76b4a289623d649e1b35b8c9347e3813
SHA1 59a4dcfdbb8a974a7024cf60c9a2a8d624f40e32
SHA256 ce0d495ccd2bb42edd03a15f87314c48db97c8a1b91c9a5b6250698d613b4258
SHA512 22f695eed9ef50a90ebd131d31c40cafd6769ae5cd99964730c8dcd7a6221525fe2018a6e7346e6716c478773b53c0ad24d75674841891b99db4e9f3bb2bcb57

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3xn79as.exe

MD5 76b4a289623d649e1b35b8c9347e3813
SHA1 59a4dcfdbb8a974a7024cf60c9a2a8d624f40e32
SHA256 ce0d495ccd2bb42edd03a15f87314c48db97c8a1b91c9a5b6250698d613b4258
SHA512 22f695eed9ef50a90ebd131d31c40cafd6769ae5cd99964730c8dcd7a6221525fe2018a6e7346e6716c478773b53c0ad24d75674841891b99db4e9f3bb2bcb57

memory/2580-52-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2580-48-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3528-53-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2580-55-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3248-56-0x0000000000F20000-0x0000000000F36000-memory.dmp

memory/3528-57-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4pK530lL.exe

MD5 75b9c13f202735b592e5f1a84e3e1d97
SHA1 a5db60508beecf30636d131d9b6428babcac0736
SHA256 df58c84e37a610b1305eda0084dbc2c6484113827cb9dfc054c7651a4e5c883b
SHA512 2cf70e9fc71975dec3457413a740430182b986b5da270f8dd4b79026cdb5fbd901bbee8d37aed7e82ef43b3275a17441590999aade37130a5d8c6bf59453a665

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4pK530lL.exe

MD5 75b9c13f202735b592e5f1a84e3e1d97
SHA1 a5db60508beecf30636d131d9b6428babcac0736
SHA256 df58c84e37a610b1305eda0084dbc2c6484113827cb9dfc054c7651a4e5c883b
SHA512 2cf70e9fc71975dec3457413a740430182b986b5da270f8dd4b79026cdb5fbd901bbee8d37aed7e82ef43b3275a17441590999aade37130a5d8c6bf59453a665

memory/1992-63-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5dr9zm9.exe

MD5 87d859057fdad8383fd2c3a5bde13cd2
SHA1 a2aefc6ef7cb9b68bb9064e59acee3d99c99c448
SHA256 c2fca574ef7cb4910a9071c92f92d29dca8cab3b6f75744ffb3916e95cc10c37
SHA512 8f835f2697c4b0fadbfe3859897535e62d4210eed9695f872b9b526cf1529f1d5a3c7c9c8644ed2f0f119ab89d5e7f983252f3b88f29d6ddc27ac95a08733db7

memory/1992-67-0x0000000073DD0000-0x0000000074580000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5dr9zm9.exe

MD5 87d859057fdad8383fd2c3a5bde13cd2
SHA1 a2aefc6ef7cb9b68bb9064e59acee3d99c99c448
SHA256 c2fca574ef7cb4910a9071c92f92d29dca8cab3b6f75744ffb3916e95cc10c37
SHA512 8f835f2697c4b0fadbfe3859897535e62d4210eed9695f872b9b526cf1529f1d5a3c7c9c8644ed2f0f119ab89d5e7f983252f3b88f29d6ddc27ac95a08733db7

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 87d859057fdad8383fd2c3a5bde13cd2
SHA1 a2aefc6ef7cb9b68bb9064e59acee3d99c99c448
SHA256 c2fca574ef7cb4910a9071c92f92d29dca8cab3b6f75744ffb3916e95cc10c37
SHA512 8f835f2697c4b0fadbfe3859897535e62d4210eed9695f872b9b526cf1529f1d5a3c7c9c8644ed2f0f119ab89d5e7f983252f3b88f29d6ddc27ac95a08733db7

memory/1992-70-0x0000000008170000-0x0000000008714000-memory.dmp

memory/1992-71-0x0000000007CA0000-0x0000000007D32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 87d859057fdad8383fd2c3a5bde13cd2
SHA1 a2aefc6ef7cb9b68bb9064e59acee3d99c99c448
SHA256 c2fca574ef7cb4910a9071c92f92d29dca8cab3b6f75744ffb3916e95cc10c37
SHA512 8f835f2697c4b0fadbfe3859897535e62d4210eed9695f872b9b526cf1529f1d5a3c7c9c8644ed2f0f119ab89d5e7f983252f3b88f29d6ddc27ac95a08733db7

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 87d859057fdad8383fd2c3a5bde13cd2
SHA1 a2aefc6ef7cb9b68bb9064e59acee3d99c99c448
SHA256 c2fca574ef7cb4910a9071c92f92d29dca8cab3b6f75744ffb3916e95cc10c37
SHA512 8f835f2697c4b0fadbfe3859897535e62d4210eed9695f872b9b526cf1529f1d5a3c7c9c8644ed2f0f119ab89d5e7f983252f3b88f29d6ddc27ac95a08733db7

memory/3168-79-0x0000000073DD0000-0x0000000074580000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6MF7iO4.exe

MD5 2bb581eba6e851ca0eb97a8280a9e751
SHA1 76a87c3ac668304d1575f1e031ef7831d1ace6f5
SHA256 32d1e22474c8bb4bce7c249062ff9f0377cc2e0b78baaf5c637424bd4801cc7c
SHA512 659ee070c1cae924b889214c3d3740eb6711b0a2ea6f66e5cbb715ac0db3213deebe0c912b587c9fd91a4a33adda7985ea1bbd094d9b86a2fc731e17856c8af3

memory/1992-81-0x0000000007F20000-0x0000000007F30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6MF7iO4.exe

MD5 2bb581eba6e851ca0eb97a8280a9e751
SHA1 76a87c3ac668304d1575f1e031ef7831d1ace6f5
SHA256 32d1e22474c8bb4bce7c249062ff9f0377cc2e0b78baaf5c637424bd4801cc7c
SHA512 659ee070c1cae924b889214c3d3740eb6711b0a2ea6f66e5cbb715ac0db3213deebe0c912b587c9fd91a4a33adda7985ea1bbd094d9b86a2fc731e17856c8af3

memory/1992-84-0x0000000007EA0000-0x0000000007EAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Fz9AT32.exe

MD5 0a4a5624b157387cd134011d283aa3d1
SHA1 251767f53df1b26e3720b1c30b9558adc51a4369
SHA256 fdb2f35791a7e13ba35689c77a57310b2b6ee0b6bf0665654b57fc271249784c
SHA512 8bc34402f8feb976ebb0bc181e42d2cf0bc66d6eedfe587b932661bfda989e7137cdc83aa3ab5ac1c81eff73dc01345c0d447b2f912106349a4b6bb4093860ad

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Fz9AT32.exe

MD5 0a4a5624b157387cd134011d283aa3d1
SHA1 251767f53df1b26e3720b1c30b9558adc51a4369
SHA256 fdb2f35791a7e13ba35689c77a57310b2b6ee0b6bf0665654b57fc271249784c
SHA512 8bc34402f8feb976ebb0bc181e42d2cf0bc66d6eedfe587b932661bfda989e7137cdc83aa3ab5ac1c81eff73dc01345c0d447b2f912106349a4b6bb4093860ad

memory/1992-89-0x0000000008D40000-0x0000000009358000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D419.tmp\D41A.tmp\D41B.bat

MD5 0769624c4307afb42ff4d8602d7815ec
SHA1 786853c829f4967a61858c2cdf4891b669ac4df9
SHA256 7da27df04c56cf1aa11d427d9a3dff48b0d0df8c11f7090eb849abee6bfe421f
SHA512 df8e4c6e50c74f5daf89b3585a98980ac1dbacf4cce641571f8999e4263078e5d14863dae9cf64be4c987671a21ebdce3bf8e210715f68c5e383cc4d55f53106

memory/1992-91-0x0000000008050000-0x000000000815A000-memory.dmp

memory/1992-92-0x0000000007F80000-0x0000000007F92000-memory.dmp

memory/1992-93-0x0000000007FE0000-0x000000000801C000-memory.dmp

memory/1992-94-0x0000000008720000-0x000000000876C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16e56f576d6ace85337e8c07ec00c0bf
SHA1 5c9579bb4975c93a69d1336eed5f05013dc35b9c
SHA256 7796a7ba79148fc3cb46e4bbca48094376371ca9dd66f0810f7797c5e24158f5
SHA512 69e89f39fa6438a74a48985387cd2e3e003858b0855ee6cd03abf6967674503b98b90573c784b4cf785b9cca594d3c8762f92def24e2bf51374ef5a00921e5e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16e56f576d6ace85337e8c07ec00c0bf
SHA1 5c9579bb4975c93a69d1336eed5f05013dc35b9c
SHA256 7796a7ba79148fc3cb46e4bbca48094376371ca9dd66f0810f7797c5e24158f5
SHA512 69e89f39fa6438a74a48985387cd2e3e003858b0855ee6cd03abf6967674503b98b90573c784b4cf785b9cca594d3c8762f92def24e2bf51374ef5a00921e5e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

memory/3168-114-0x0000000073DD0000-0x0000000074580000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

\??\pipe\LOCAL\crashpad_4364_LNXOZXXKXCDFEJHC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_2992_DHYMREUIVOFHMDMB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\b1cfa169-a18a-4185-af4e-0ac6312d2122.tmp

MD5 3550280fef7a2a1abd65aa26ac4a52b8
SHA1 7e7b23c1a52f6b1f97019f2bd1d3aced1d2c7782
SHA256 5a9219e6bd885c322a93ec9a57b2422712c02f4bb6867191377490b6a10a61ad
SHA512 9ba2fcf6efbfda5c50e08b9dc907324947ab848a9045229b4d8589b3c5641e3734ac44d3375018558293953a33030b2fad2b70548c2f55b9c7640b0049a5455c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e3364af5a8274b250b6aa54c22fa6a6c
SHA1 d6bf0a08849d98e445da7fd2282b2678da5a60a7
SHA256 9fd1d55c63ff4e32d44965be6d83d025e07658bce036aa744f58f43a360e1fcc
SHA512 1e3ef3b4283c1419aa43b2f41bef2f6b544cacf17cdadcd642df956e1c0c5cea7a0e91e4aad5e14cb6d735724b411d01378060e0bb557e8cb7284a8226f511ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e0e972f271a61bbba9dc583d9037eb67
SHA1 5b0ebbb877d37b749397673ad2a46f26624ce48d
SHA256 cdad50ff4705bbe2de82718598299b677d73433d262f98ab34a82f2456afb39d
SHA512 0cacec20d187cbd100c11c65afd086e1b002b5fe16e18102fccae38574b1484fd5511498bf9bcb432b011b59cad0fdcaeff17aa43c53421745a8cbea806cb8a2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e0e972f271a61bbba9dc583d9037eb67
SHA1 5b0ebbb877d37b749397673ad2a46f26624ce48d
SHA256 cdad50ff4705bbe2de82718598299b677d73433d262f98ab34a82f2456afb39d
SHA512 0cacec20d187cbd100c11c65afd086e1b002b5fe16e18102fccae38574b1484fd5511498bf9bcb432b011b59cad0fdcaeff17aa43c53421745a8cbea806cb8a2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3550280fef7a2a1abd65aa26ac4a52b8
SHA1 7e7b23c1a52f6b1f97019f2bd1d3aced1d2c7782
SHA256 5a9219e6bd885c322a93ec9a57b2422712c02f4bb6867191377490b6a10a61ad
SHA512 9ba2fcf6efbfda5c50e08b9dc907324947ab848a9045229b4d8589b3c5641e3734ac44d3375018558293953a33030b2fad2b70548c2f55b9c7640b0049a5455c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 413de85b54c4e20177b07c16b188a071
SHA1 729319d4d5065076bb5b759fe21e20ced6b4002b
SHA256 cfd2c977980984008593a883fe5f96990808ebdfa28db67701f3b41c4ff46295
SHA512 8609134984c08d9f254a95c171c2e13a6968249a94097336c93484e898d75cc989d69768350b1eadd7cdb31940f8c83314c9381d7a100e10f106cac9cc7f9e8a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e3364af5a8274b250b6aa54c22fa6a6c
SHA1 d6bf0a08849d98e445da7fd2282b2678da5a60a7
SHA256 9fd1d55c63ff4e32d44965be6d83d025e07658bce036aa744f58f43a360e1fcc
SHA512 1e3ef3b4283c1419aa43b2f41bef2f6b544cacf17cdadcd642df956e1c0c5cea7a0e91e4aad5e14cb6d735724b411d01378060e0bb557e8cb7284a8226f511ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c4a91eb86bb74ee6e3a6e4cc2753d681
SHA1 413b29b52133e5b6e78fdbcd7b7f3c10358266a6
SHA256 d4eb700115fb3a19ac67ac8cac684b9eda816e779361bcdd754c8fc61210d377
SHA512 6d0ed7ab6ff0dc87e534281ce8c5fc6cfde602f3f245455b02aeabe6aa602cf7f062b5b15cc658ac07203eed3e6f8aa23722f39d5f53d77db90bdaea281c1a9a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 413de85b54c4e20177b07c16b188a071
SHA1 729319d4d5065076bb5b759fe21e20ced6b4002b
SHA256 cfd2c977980984008593a883fe5f96990808ebdfa28db67701f3b41c4ff46295
SHA512 8609134984c08d9f254a95c171c2e13a6968249a94097336c93484e898d75cc989d69768350b1eadd7cdb31940f8c83314c9381d7a100e10f106cac9cc7f9e8a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3550280fef7a2a1abd65aa26ac4a52b8
SHA1 7e7b23c1a52f6b1f97019f2bd1d3aced1d2c7782
SHA256 5a9219e6bd885c322a93ec9a57b2422712c02f4bb6867191377490b6a10a61ad
SHA512 9ba2fcf6efbfda5c50e08b9dc907324947ab848a9045229b4d8589b3c5641e3734ac44d3375018558293953a33030b2fad2b70548c2f55b9c7640b0049a5455c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e0e972f271a61bbba9dc583d9037eb67
SHA1 5b0ebbb877d37b749397673ad2a46f26624ce48d
SHA256 cdad50ff4705bbe2de82718598299b677d73433d262f98ab34a82f2456afb39d
SHA512 0cacec20d187cbd100c11c65afd086e1b002b5fe16e18102fccae38574b1484fd5511498bf9bcb432b011b59cad0fdcaeff17aa43c53421745a8cbea806cb8a2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

memory/1992-307-0x0000000073DD0000-0x0000000074580000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

MD5 a5c3c60ee66c5eee4d68fdcd1e70a0f8
SHA1 679c2d0f388fcf61ecc2a0d735ef304b21e428d2
SHA256 a77e911505d857000f49f47d29f28399475324bbf89c5c77066e9f9aca4dd234
SHA512 5a4f5a1e0de5e650ca4b56bfd8e6830b98272a74d75610ed6e2f828f47cdf8447fbc5d8404bcf706ca95e5833e7c255f251137855723b531d12cbc450062750a

memory/1992-394-0x0000000007F20000-0x0000000007F30000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 097f4a4bafda8cb9c486765a901d8b22
SHA1 c9495fd1a2cd781c9a04265c2002cd7d173b80d1
SHA256 5ea699fc028518aadc78c1ebef0921af095f1a23d62c0e076d1f20829bdd3742
SHA512 3757cbd3a525c7fb9c239f3aedf72feaa7eeb7ae3f1a0ae517c9045aab716bad817da92d7542911b3e9029c7fc9f84be3f64426eb03ed3b76e6dcc9d5caaae2a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 923a543cc619ea568f91b723d9fb1ef0
SHA1 6f4ade25559645c741d7327c6e16521e43d7e1f9
SHA256 bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd
SHA512 a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

MD5 a6056708f2b40fe06e76df601fdc666a
SHA1 542f2a7be8288e26f08f55216e0c32108486c04c
SHA256 fe8009d99826585803f561c9d7b01c95ec4a666e92fedb2c1ca6fa0f50bb7152
SHA512 e83e64d00199a51c1f17faca3012f6f28ad54e5ac48acea6509cccdd61ddb08b03c3a895776944190a4e261393b90f9f516ad64b1b0e4cdd88a66f6f691331a4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

MD5 b24045e033655badfcc5b3292df544fb
SHA1 7869c0742b4d5cd8f1341bb061ac6c8c8cf8544b
SHA256 ce60e71ab0f5a6f0a61ee048ff379b355d72cd01fda773380b4b474b4273ec6c
SHA512 0496eab064778fe47802d7f79a536022de4a89d085457ad0d092597f93e19653f750b86f5649768e18f631505ff9792c421ba3a14b9d30522d731b5cd3d8206c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 570709b09e2b6276c64cd70d9f41a4bc
SHA1 5b67b98422f949d8e0875fe7312c6ee09c6b32ab
SHA256 2a64c889daa79fa5209168387a4a020e1a4a3253f0243b19af19d45a303e1e64
SHA512 eab8993c461c1413c6f36ab68ee199e87e91b6dd5e2a52b90f5603fc9b289ad3c8c766164c6b4e1b9285a28a47d361f8d3caade5a30a402cc7ba31a0b868b54f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

MD5 990324ce59f0281c7b36fb9889e8887f
SHA1 35abc926cbea649385d104b1fd2963055454bf27
SHA256 67bcedd3040fc55d968bbe21df05c02b731181541aff4ae72b9205300a4a3ecc
SHA512 31e83da1ac217d25be6e7f35a041881b926f731fff69db6f144e4fe99b696a31f9ab7766ca22cf5a482743c2a2d00a699ca2c2d67837a86c471a2dd3bed9ea1f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 fd20981c7184673929dfcab50885629b
SHA1 14c2437aad662b119689008273844bac535f946c
SHA256 28b7a1e7b492fff3e5268a6cd480721f211ceb6f2f999f3698b3b8cbd304bb22
SHA512 b99520bbca4d2b39f8bedb59944ad97714a3c9b8a87393719f1cbc40ed63c5834979f49346d31072c4d354c612ab4db9bf7f16e7c15d6802c9ea507d8c46af75

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6OA95Jz.exe

MD5 b38bf93056c1551d4c901da3bd7ac277
SHA1 a3f9128846744613b2a77cd4aebc7146e41a8a4f
SHA256 546a683f55896c6ef0980f472926c44bdcf5cb59585a478b18c77ba6e2091616
SHA512 767f892f5717a3b2a69c080edce8e5bd35e9069b677dbf1e700f557702f520acd62d81087b81d9381932a48773fb2f3932b051e9c7e6988dd0ca0f5f7a9f20c1

C:\Users\Admin\AppData\Local\Temp\1C1F.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

memory/2296-665-0x0000000073DD0000-0x0000000074580000-memory.dmp

memory/5284-670-0x0000000000FB0000-0x0000000000FBA000-memory.dmp

memory/2296-669-0x00000000073E0000-0x00000000073F0000-memory.dmp

memory/5284-671-0x0000000073DD0000-0x0000000074580000-memory.dmp

memory/6576-689-0x0000000000400000-0x0000000000434000-memory.dmp

memory/6576-714-0x0000000000400000-0x0000000000434000-memory.dmp

memory/6576-737-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5312-767-0x0000000000D80000-0x0000000000DBE000-memory.dmp

memory/5312-772-0x0000000073DD0000-0x0000000074580000-memory.dmp

memory/7084-773-0x0000000000400000-0x0000000000480000-memory.dmp

memory/5312-774-0x0000000007CB0000-0x0000000007CC0000-memory.dmp

memory/7084-777-0x0000000000550000-0x00000000005AA000-memory.dmp

memory/7084-781-0x0000000073DD0000-0x0000000074580000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d5043c1b16eafd24889b9a67bd41167a
SHA1 7e5224044973de560ce240257aee4f8e1594ed6b
SHA256 b6d1cfe106a97a8af98994c42b74a2a018aecb1e1b8274a045ae6b5076d5ebca
SHA512 25ca6e76b4f3bb9e1302cf58d53d73c5a31d12b11ccb5771bc80c63cc79c28343156d4676ab4c26a79c62f44436f58dc718b834dd09d59e3d1ebf150a563812f

memory/7084-833-0x0000000000400000-0x0000000000480000-memory.dmp

memory/7084-836-0x0000000073DD0000-0x0000000074580000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d62587cfbeeac6d2d11a360b02007223
SHA1 a56e21d9102d81570c169c297285bc3462ffdba8
SHA256 bb24a068dbfff1b12b97ba68d4d8a09706cfd8a9634f2804bb99e9d536aeb000
SHA512 c8dc903682065d217b70ba71a7b715670f8f47c8924387cdf7ed363915d0290e3b52b003f29eb742afddc170e76607249f12c093268b9a55c0fec4b469a9293a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5837c4.TMP

MD5 cb539ca94b5189993f95d87d87016894
SHA1 8593e10fb673293cbc9397758919de615bbdab9b
SHA256 4b93d0da8ed66aea73879d2be9b8fc8900564182a9501521b7c82540817220aa
SHA512 3f0e50e413354f7e7206e9505e7e08da256fd2b4d3255ab9de084ca9519b2c12f5d78b2b2ea6741683a1147b3a74eac283b51504d0326c0d269629f0eae6061f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

MD5 9ee8d611a9369b4a54ca085c0439120c
SHA1 74ac1126b6d7927ec555c5b4dc624f57d17df7bb
SHA256 e4cf7a17182adf614419d07a906cacf03b413bc51a98aacbcfc8b8da47f8581c
SHA512 926c00967129494292e3bf9f35dbcdef8efdbddc66114d7104fcc61aa6866298ad0182c0cbdf923b694f25bb9e18020e674fd1367df236a2c6506b859641c041

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000046

MD5 2d64caa5ecbf5e42cbb766ca4d85e90e
SHA1 147420abceb4a7fd7e486dddcfe68cda7ebb3a18
SHA256 045b433f94502cfa873a39e72d616c73ec1b4c567b7ee0f847f442651683791f
SHA512 c96556ec57dac504919e806c7df536c4f86892b8525739289b2f2dbbf475de883a4824069dbdd4bb1770dd484f321563a00892e6c79d48818a4b95406bf1af96

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000044

MD5 57613e143ff3dae10f282e84a066de28
SHA1 88756cc8c6db645b5f20aa17b14feefb4411c25f
SHA256 19b8db163bcc51732457efa40911b4a422f297ff3cd566467d87eab93cef0c14
SHA512 94f045e71b9276944609ca69fc4b8704e4447f9b0fc2b80789cc012235895c50ef9ecb781a3ed901a0c989bed26caa37d4d4a9baffcce2cb19606dbb16a17176

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000045

MD5 ce6bda6643b662a41b9fb570bdf72f83
SHA1 87bcf1d2820b476aaeaea91dc7f6dbedd73c1cb8
SHA256 0adf4d5edbc82d28879fdfaaf7274ba05162ff8cbbda816d69ed52f1dae547f6
SHA512 8023da9f9619d34d4e5f7c819a96356485f73fddcb8adb452f3ceefa8c969c16ca78a8c8d02d8e7a213eb9c5bbe5c50745ba7602e0ee2fe36d2742fb3e979c86

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000048

MD5 4f7c668ae0988bf759b831769bfd0335
SHA1 280a11e29d10bb78d6a5b4a1f512bf3c05836e34
SHA256 32d4c8dc451e11db315d047306feea0376fbdc3a77c0ab8f5a8ab154164734d1
SHA512 af959fe2a7d5f186bd79a6b1d02c69f058ecd52e60ebd0effa7f23b665a41500732ffa50a6e468a5253bb58644251586ae38ec53e21eab9140f1cf5fd291f6a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000047

MD5 48b805d8fa321668db4ce8dfd96db5b9
SHA1 e0ded2606559c8100ef544c1f1c704e878a29b92
SHA256 9a75f8cc40bbe9c9499e7b2d3bab98a447685a361489357a111479517005c954
SHA512 95da761ca3f99f7808a0148cfa2416b8c03d90859bff65b396061ada5a4394fb50e2a4b82986caab07bc1fcd73980fe9b08e804b3ce897762a17d2e44935076d

memory/2296-906-0x0000000073DD0000-0x0000000074580000-memory.dmp

memory/2296-907-0x00000000073E0000-0x00000000073F0000-memory.dmp

memory/5284-973-0x0000000073DD0000-0x0000000074580000-memory.dmp

memory/5284-977-0x0000000073DD0000-0x0000000074580000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 8b6e9ca2b4fb0762e5add6a80dc4e379
SHA1 99308418dc307d3605346d0450e5417f69795004
SHA256 368693e14e52b43531fbae90d5f880c7d1d99b621c6cd5d6f5b9bdea450e4c22
SHA512 bfcfc12ba0e927829e0aca98c69458d8b618eb48583306c1cb61ca843ca91e8b4df917aa740a6bc2ca07b8ecd33dbfe1598c33bc9c1994695736f42cd8c57b50

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 bd8ece0b155f589b032e2b7a4e45e9f1
SHA1 67270a516ca3477971cc30a91b9364551419f5fe
SHA256 b1d6e44250d1766a08c4d3f72acef49d9a1010b4413d23d1850a16266d106ffb
SHA512 65ece940b579dade402facad3ad5dd8677e15998529534b9c07a28a2813b916b97ad5bf1d2e649872cdfbc4bbbdc1ffde3b4b67dd68c33c02f084050699660d1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe584d21.TMP

MD5 0aa380c88c857b1774a82ad86a65549f
SHA1 2aff63705bc4b600269f6f29407b235a847f4c5d
SHA256 f1a33265b07d002681ec5afa86d8502d5eb8cfb458e3b96b0b40e27a1c227fd2
SHA512 4155dab89b03288534e4b8d4d07825d843d1500ed49f0c9cb548314ebcc5d717c99b14ba20d2acf1f0692559fbdc30981589f8600d8260c4ad86a9158f46f314

memory/5312-1012-0x0000000073DD0000-0x0000000074580000-memory.dmp

memory/4976-1040-0x0000000000020000-0x0000000000A04000-memory.dmp

memory/4976-1039-0x0000000073DD0000-0x0000000074580000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/5312-1055-0x0000000007CB0000-0x0000000007CC0000-memory.dmp

memory/8144-1065-0x0000000000A30000-0x0000000000A38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/8144-1071-0x00007FFB985B0000-0x00007FFB99071000-memory.dmp

memory/8144-1073-0x000000001B5E0000-0x000000001B5F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ce6986b79a7f23d9127c9152458ea3ce
SHA1 ec130d6f794ba9fe596ae58d907d1f38fd530ed3
SHA256 9290e571026ddcc60fbeca36061c9e58951699e217860e321405539b8258f857
SHA512 fec8cee9b2510870c3d80b02dec1127687544fd3d4d70bf340ce50ddde143b9677985bc61613618c5d3e1c8f64dcb020f9775d4113ba9304d3846cb6ede149c6

memory/4976-1075-0x0000000073DD0000-0x0000000074580000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 3c734b9048750a7b3dd8f8bb2b37ec1c
SHA1 85ae10277cacc331635785f1cf85fb5f3b1db2f6
SHA256 6378b0de758b2191d4b14b157d4ed085db841f26651c76dc41cd96c4ecf56021
SHA512 512b6d93a5feddfb613f1a1942a6b03e18b444d8bcea46de96991af279c43bcee81a566daf2050a73523188d93ca3cb0f9a34e8d15b064abb452b70263b4157b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

MD5 9f1c899a371951195b4dedabf8fc4588
SHA1 7abeeee04287a2633f5d2fa32d09c4c12e76051b
SHA256 ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7
SHA512 86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

MD5 eccad76805c6421735c51509323ea374
SHA1 7408929a96e1cd9a4b923b86966ce0e2b021552b
SHA256 14c8d86be351170c4e9f785c2dfb686bfe945209cbf98533f54194f8c276b6db
SHA512 4a7e5d3815d0655e0ea2aac7843d13258f312f70174d68951a21782054e684f739484dac08fda8cd47f5cf20d37516b017799d4819b0f88e46c819bd077fd94f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032

MD5 73ad1ae9855d313baf3b80d18908d53e
SHA1 21dd5ac5a897f298721280a34761fef3947bd58b
SHA256 24f67f034f9a5178feeaa5db9bfdc6e2a71ff9b700cb962f59820414c39382c2
SHA512 0dc9ead6cb835c004fa4570314b8de072cd55e0ce49adf5b738242709bec5799f91da525987da0af32f950f352a772ed26902b149fbecfef2463cc5407b47bd3

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 fd713d8861975d39492d7a2271dea0c3
SHA1 2c4a5f63ec5cbd53e747d1609cdbff5f630d9d1a
SHA256 fc6d654f4c1a8c7d9a4de520d253b2b771bc11c339eda1242a8eb43ad86f0141
SHA512 3005b8c50ee60f5f276b4ece15ddc3401a1726a2952049758dbfca36a6c1339da23ffd445ec3553ac4c13385f99b74fec528d4f128e1cc3b22c592d610d60c3e

memory/1656-1225-0x0000000000400000-0x0000000000418000-memory.dmp

memory/8144-1262-0x00007FFB985B0000-0x00007FFB99071000-memory.dmp

memory/7264-1277-0x0000000000A70000-0x0000000000B70000-memory.dmp

memory/7264-1279-0x00000000008D0000-0x00000000008D9000-memory.dmp

memory/8500-1326-0x0000000073DD0000-0x0000000074580000-memory.dmp

memory/8500-1330-0x0000000005330000-0x00000000053CC000-memory.dmp

memory/8852-1332-0x0000000000400000-0x0000000000612000-memory.dmp

memory/8852-1336-0x0000000000400000-0x0000000000612000-memory.dmp

memory/8852-1333-0x0000000000400000-0x0000000000612000-memory.dmp

memory/8116-1368-0x0000000002B90000-0x0000000002F93000-memory.dmp

memory/8948-1415-0x0000000000400000-0x0000000000612000-memory.dmp

memory/8116-1414-0x0000000002FA0000-0x000000000388B000-memory.dmp

memory/8116-1416-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/8948-1366-0x0000000000400000-0x0000000000612000-memory.dmp

memory/8592-1327-0x0000000000400000-0x0000000000409000-memory.dmp

memory/9084-1420-0x0000000000400000-0x0000000000461000-memory.dmp

memory/9084-1421-0x00000000001C0000-0x00000000001FE000-memory.dmp

memory/8500-1294-0x0000000000730000-0x0000000000B10000-memory.dmp

memory/9084-1425-0x0000000073DD0000-0x0000000074580000-memory.dmp

memory/8592-1293-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1656-1428-0x0000000000400000-0x0000000000418000-memory.dmp

memory/9084-1431-0x0000000007600000-0x0000000007610000-memory.dmp

memory/8508-1292-0x0000000000540000-0x0000000000541000-memory.dmp

memory/8292-1432-0x00000000003E0000-0x00000000003FE000-memory.dmp

memory/8292-1433-0x0000000073DD0000-0x0000000074580000-memory.dmp

memory/8500-1434-0x0000000073DD0000-0x0000000074580000-memory.dmp

memory/8292-1435-0x0000000002530000-0x0000000002540000-memory.dmp

memory/8592-1437-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3248-1436-0x0000000002D60000-0x0000000002D76000-memory.dmp

memory/4916-1445-0x0000000002930000-0x0000000002966000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_muc2mxgg.42q.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1e52b17c8b99211fa712505ebac1988b
SHA1 52f638eb8800d71d4198c85198c39705c95c6246
SHA256 41e3114fd8a3aab6410da661827f682e95200100601a03f5b442244d272d9923
SHA512 8fced5987797945f8739ac02a33938c22483c9e0dc4330f9919ed9f8a7e75f867d0c53ed835b766c67f6d60b9365b1bec7b1438961ce6ce461c88485392867f7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0c1bcdfb72bc7ca6149bc06ee5067a0c
SHA1 e1bf45e7c1a4b5dd6077dec230c12e7b1072cb0f
SHA256 cab954eec705ce14d067fcebb544900af31d36607a9ccefe9909454a1693ed25
SHA512 b4dd29464ca1bc26214431c904748255a9d4f3a6180599d1ab5ca9a3b0ab5e5890a80808f2f42f554b9ed0dbb1ff6f81104f7edca3032a34e5e8ed8eecd99a84

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 ca124095d42b83f93234a873c9d4637d
SHA1 8f7f62d68a64873ea891153fb54fa370788ff27a
SHA256 e6a44dc0c0c3c9c6ef86a908edd1c8ec45e2f4754461da0baa1a2a793612d5aa
SHA512 a68ed47d0087a91158975644af39722efd4be55aceed337e7e0945126f86ebe2e53830925d1dd6309a8dfe38ab8edc61a46290b186659ad4012510da8f8c71ca

memory/4960-1575-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe589f0a.TMP

MD5 9c5242dab402b5a28c46b5156151f99c
SHA1 cf2ab3c6ac8c3c453c24e390a0eeb406e3a6ea6d
SHA256 b7f15cf279fe79a0a5ee686339e7de5f2f84f9687a32173e8fade8fb0ac089e1
SHA512 28c5d9dcacfafb3b70614795e0e046ed9e1d1501ae02191f68232d469f27c3d9e127c16b2fe7985d3266ab35b4066023bd1da051610f06c70a1da92aaddd928f

memory/4960-1583-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4960-1588-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpADE0.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpAE24.tmp

MD5 985339a523cfa3862ebc174380d3340c
SHA1 73bf03c8f7bc58b4e28bcbfdd1c2ba52dea5dfb7
SHA256 57c7f10cd97c8db447281ad0f47d4694035056e050b85b81f5a5124f461621a2
SHA512 b5d34c43330f8070b3f353c826a54aecd99b7129a214913a365b66009a1a6744093bf085d3f86681ed40c714d6ebdfff40d99d7bd7a3508a0a0caed6304ac27c

C:\Users\Admin\AppData\Local\Temp\tmpAE6F.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmpAE94.tmp

MD5 2e4a2af1ef1addd98624b166d50efd1c
SHA1 86ffb3ae76517429142c329542a2f6ce44bfde8f
SHA256 8fdbf5948c5bf1302e0d70552ba23ccd30ddfdd3e51ea951c08f95eb95838418
SHA512 7450be1333e0fb01abacca8340005bc1fed7a8cbe75d4cab53c9cff36625d0db0532116f07e1bbc7648a8d6e22742a30a24797b433ad3d1f2e7c06f71521c0bc

C:\Users\Admin\AppData\Local\Temp\tmpAEF4.tmp

MD5 16272f4cc8c770f9601a66263ce1c0c1
SHA1 ec28d55a0b0821b2dc7b09136751bef1ad195dcd
SHA256 79cb83f89ad7762e9d5d446c01a1886c346ae7b20adf6db6ca5e10b62e7e143c
SHA512 3ec905241ad7bc28fae3f1df3edd1640a4d4799ef8a122919adf723bd380085c9ed3a4915f00d0000cdb997815c5ed95598def3f45ce557cb3bc453a3a708a1d

C:\Users\Admin\AppData\Local\Temp\tmpAF3E.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\2db5d530-8889-4978-884d-e03f70051d3e\index-dir\the-real-index~RFe58bacf.TMP

MD5 27f6ae63561b963a038efe8ccaf711ff
SHA1 966fe3a731fddc9fef7cda0fc30061591b13942a
SHA256 f551bf249fd20ed61452904834b28cedf66d9a5e98536fc32da25e51e7466763
SHA512 271396cb547cd95fba52df9244b42115cc08edd9036ae44b7c4fef664988ad93b62a76382075a3e9965753018f975448010268d943e2b87d666b04af104c7cfb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\2db5d530-8889-4978-884d-e03f70051d3e\index-dir\the-real-index

MD5 19c322e054dcc49c3eed60c7330647df
SHA1 9556000008006a3f9d36b6ca181b9fee2a42a541
SHA256 782ee1f158f3efb8e1a91a2e8952374b08b6c18550312de39450085b37f03a3a
SHA512 7e25d550125b000cff607f07c65a0427a9d25b9b0a066fbd7222af0300fd9442c85be2b6a0da369610104ffc8e6442ef7e24768083ce7f62ebe3502e11947c32

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1affc35d103a8a166410f5d2c246d699
SHA1 2367abcaba447966128028d5b5435439309ae8a8
SHA256 c41cae62adb0b438f5ca1ad35f670fc177c1bb991595ec5f628a5be1286112ac
SHA512 8d4fd7f29ceecf287ab8b541cac2c8ec193b8bef668cc2989ddeb15b17bd3399586f198f92648d04e15003cada16b3bc1b1dd25e4f1a399379a1373deff71f98

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 fd6dbcd7bc3144697b20bdb9de832d93
SHA1 b6a5345e4cf7d3d8e4bb4021079873bb83e67414
SHA256 66f0347fe0f0d92bd33d1ddf065e5831be3323fd3938e257487189a1b6ccd053
SHA512 36d35156c0d985eea04d323442d25728baf3e90b70955a8307ba4d6b6f685be4fb7cdffe1e99ac079b47689f04e7b34dd9b743ca267e24a7d3b577879b267964

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\56707f44-5cc9-47fe-8976-479d71f8d248\index-dir\the-real-index

MD5 f504fbb458d36ab08d393dae3ef566ac
SHA1 44941e0fd1b77ea27d68c6a8c39a9fb7a5fb7b8f
SHA256 037a5b3cfd2d3bacca5b9d3bc5716e883a409eaee134d7e5fd89acf4c799ac45
SHA512 c1a3a33e6880059fb8da771beee75693cd4fb60771afc52e4019feb5524cd2f6ed829db173e12bded9bea1857e3f2c2e284bd29bbe173ad67ace5dec509e9db9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\56707f44-5cc9-47fe-8976-479d71f8d248\index-dir\the-real-index~RFe58c668.TMP

MD5 d24709f6007b7f196667ca65b6965667
SHA1 aa9bcff1ad935036563ade78a2ed1bd15dc46fa5
SHA256 fbcb8b5dc8ba9f3711542e54e96669bdd4b037f2980089a8c9fdd642724bd6c4
SHA512 91bb850f70ff99dbd7e119628c19aa23dbb090bd7251d908b8d7b2148f9f57463c02d767a01902375198f3c327dabeef3e14a905945b7f1357552de5ef26e49a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 cff5aa372353d726b9f9e96e8e1b4eba
SHA1 a0dc8e8c9210bc4b76c63e3be4856cea8eb8b151
SHA256 f74a68cbdadc1d3963bfa5dc6ba5a591df6439dfe3908623290f65ba93d1a5da
SHA512 d19e2ca37757ad67a460bba16024a60eb28ab82d41fd458fa0d7c0b54dfe985c1ec9bac560c0254df0389e6f9edeee5bc4fc0f68a2d5f10ff5f1a9db37c00593

memory/2172-2023-0x00007FF641FD0000-0x00007FF642571000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ce57f6c7fe2dfc8008ab5260b06fb079
SHA1 25321745e8873b6c0ec3e18d5591a532ec43bc66
SHA256 861076fba7fced69b6f90a3165c4a34b398785d29bc588adbed88f6d4ebd8022
SHA512 729d9c0ad08ab62a2406863ad8b0a6447d14c82f3384e548ee3ebe3f97b9e8d8948798300d176e79e852ad26bc71e87c9e693500ba4b1a3f39bcdf0cd222769b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a120cc13df38ecbea7f8f2e4aedb308c
SHA1 8e7d1600e14ea933a3a3a7f438271e57e797a222
SHA256 84c69ea68140c216e9a80067a0c798ecde12640cc8626b243c08f8e2ed3e44a7
SHA512 148b31a58f1de897ad3c5c2877b618e6d38e3bc03cdeb670c6ad9f4141a90a0a0d8b908c1ea50b39190ec52622df7b7095e872c627441df0806c02e93e64cde8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 913ceaef4f05eb5c796f4aec8582a7e1
SHA1 72a5731df6ac18f273c7c402126bd9ee217360ae
SHA256 cb518a1dbea719cb69762d86ef8005d82851ada796b6a158f6c926443c2688d3
SHA512 77b65775411747178e360cb3a719c09304b3633fb8e5000e0ffc5cf920ba6c747a1b6aafbe0ca2a627a23fc6d3fb356db64c4a08804c702cc0ef99501f79d485

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 9fd07e6eb1dc1ac3c88954e3668f87e6
SHA1 2c237b42ab66c1832e02d74bd578f00192d0b7dc
SHA256 56312ed36a2d0b88b87649353e061dd86a0ff1c7b1254071844946ab5c67e6a9
SHA512 ccc087731a1d6b47ed7a1a88b0908721056ad4092c1b6350eabcfd63ac5c84c18890a6012f89a5ef972df52b02654a07384b26880c06daf94b1a35e2902dacb8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 4040967559e765dc612d9ada317fb668
SHA1 ea1ec856f000aa136c20a07713c843e60c35b5e5
SHA256 eb9aba379e1460d42d1419af7220b0a269f9346132687f26efd52642d99291c8
SHA512 bb631eeef3cf0bd54a7c68778d20cff2a83c5d4015a07fc0e6aee8dcf782826e9764cd1ac2af1fabecd58a5cb255e8eae548629b76bbb7c769f19440b39d4675

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

MD5 8eb5c41bcc41b26d2df786cf842497cd
SHA1 ed2167c2eb6906c0794f90a304ac870687c486b8
SHA256 52775f71c06824d4081692f9f4e47e02aa5a41694daef3b8f57e14a49933a77d
SHA512 77eae3cdd04da631414f861a08bc5e0279cdf745b6922fcd0ffe022c44585e0316a1e78d2cc86d1c21d6ab01e104cd959168a55e40e08a33d896a679c00b3771

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f161768ade90d18c52e71738f0feb76e
SHA1 db727809b75952a8fd075af783cc592cb47d8a66
SHA256 4c30a74b4bb65b2dd5f6612b38b48288e76cf99ff0fe0315049da33ceb94faf6
SHA512 9be16118dccf247103c8285d81328cadda3737a7fbba22bfa5cd7f4cd0be5249571c8c55ce14e824c1772defb0d35be12049e56007e9a6a20e6cb270cc8f1c90

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

MD5 d5b8d141a08fdde8abf6cd1d5343346a
SHA1 bdac6246a7ef746566b18033eef52ee4de95082f
SHA256 0ed2ba45aaff926c33f6a21b1edea31ae58932999d4e7594907c0f067baf8ec3
SHA512 fb3f2d0e09158e5758d33408bf366b1aee9973f6a549b434b67c4b5946afb59e702f3ad85dcec92308503db8c0e1b54ea6e2e22a7c24347289b8b98346c02fca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000031

MD5 5c1f5b5423d642cbe35e227fe9876eaa
SHA1 30305673953a3687555d09f36ab6158dd3f06c8a
SHA256 02d9dc055ce694838aee2468fcd912c5bbb5b9fc5676c4179dafbed1119f0c44
SHA512 c52ce31bf7afc754e71cdcd3857f9acb5544efdf72751d968f15d77a5e8b5faef63fe16c3e78aff96dfe57a814aefe4cd507ad7632ca3c2030053c71f9107e94

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005d

MD5 231913fdebabcbe65f4b0052372bde56
SHA1 553909d080e4f210b64dc73292f3a111d5a0781f
SHA256 9f890a9debcdfccc339149a7943be9aff9e4c9203c2fa37d5671a5b2c88503ad
SHA512 7b11b709968c5a52b9b60189fb534f5df56912417243820e9d1c00c97f4bd6d0835f2cdf574d0c36ecb32dbbf5fc397324df54f7fdf9e1b062b5dbda2c02e919

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\b25c7706-a13a-4d46-8a21-33bac5decca9\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

MD5 6570dbdf0c77832f8e8abf5a7790af71
SHA1 fe825078636e30f9e7fd4a543988db8ce65f6fa8
SHA256 385a5ca1d9e8de5591dd7c15b30812f58ad3abf625aad203984fec0964d42d12
SHA512 dc440685ca6519b1b9172c4f6554fefcd88d41d152df311c62381f73eb2a060592d826c37bd0c923be926f3c9fec62283fc8e14a851aad870f59e59ff3c20049

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt~RFe5930bb.TMP

MD5 0a74719ea29da66e49caebddafa078b7
SHA1 ed4d31ec4a2f374bef0ec36c258afc16a9f1de00
SHA256 c8fb52737058e5d787693d6a80bcc6b7000c25fc6107c2099c01b4ee89b5c5d8
SHA512 0b8564bf8d987aa180b424ab56f6203f9e66b6ac7168097969d7b67833595d1bb086402b217617a7e3732445e38339ff164f513c6272b93b2de9e2721f648d22

memory/4468-2446-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a1ce6ed75cd576acc5673ba25a8ee5ee
SHA1 0ba573e4b097a5b69c3df1f2a407ef44fbe7be25
SHA256 cb1475a2074aabf37bdde77cb53d30e4c2b53643854f8d387ad136472c40e06b
SHA512 d039857f197b13517a53a6ddeecb8960ff6acb9d805fe416e415c81d87a7b027057d9257dae53a3d774449ea629fd028d9c8ed85e46e1c97b40156a58430af07

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 1d9d9336720e1e131bf80a1a3c3da720
SHA1 83d9e03a43bb923c2e1685b1e3afd4da52838787
SHA256 20d22deb0b9586307e20f44d55b1bdd5334519f38baf6f230537e8add1e4ca25
SHA512 8b4560f569e8152ac333a775525ce3357817ab4f700ef135917ee346f305a23ddeb668a13839dfc1c995f493213e72baa0c6e274cf96d2dfbbe9c7f555440479

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

MD5 603b46a042ff004fa5b18b5e64a7c121
SHA1 d5edc542e336e7c4ecd7279b1d5e5666c7b00a31
SHA256 077ce9cdd14688ea70f9a22a75c6f97416213cc8b869a0b1d4de476403e6b8be
SHA512 a22e853dce127dfe6c0ca5401ca488ea4cd37011a19e32557cf5c2438b75b97ac62c7b1adc1acfb67c6a47e39979cd5c778413ddf6246a46835c7a2f7c69066f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005b

MD5 1490acc6c189316c545989694777347d
SHA1 40d46c9364bcad6fa1f9e5eeeca1120e3124e903
SHA256 fe349cee3e127dc9754839d36e462abdb47db388502b0fe5c0132252d3bea75f
SHA512 4e34822f615e7c4a105ed9e1de727cb28b1bd349a14f1dc53313b473c25a50bbffba66d757747d8d0b201ede64d89d73dc918be7cb87614592f5720629cd76ba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000063

MD5 3d2f4182c474d87c9d1fecf7af9f7082
SHA1 213a499d3f304b2015efb399a0faf08bc78c4306
SHA256 c243f4ab8abf11750a75121292f499ff77213c6c56c0aed0730f3cdf084036d9
SHA512 c22ece464abfc073c7f417b571fd534bcfbbb953b89c10e878bc74b2de671fed0e667a1abee380cf14c49680d2d9ce1d5ee920dc676d05e37965ad3e6348d1d9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

MD5 85122ab68ee0ec8f5b454edd14c86c41
SHA1 d1b1132e3054ff3cef157fea75f4502c34fa5e26
SHA256 4f5169675d35f59c99a0a4e41a52a0b79a86117a9244ac79dbb1e7cc13e0e9b5
SHA512 dae95ac0a262b0fc88302050c51158e11fd113c05efa351bee3213e75150181915a870e00ec0797ec994462ccd841c77215a7b7b0d02651d4757f03ba17274ca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000064

MD5 ab18a46f7c0b1a34b19d40d2198dbea0
SHA1 fe6fb562b7c2ce00e4fbefb140b0281631e03376
SHA256 27d2a2e22ff6476c72078311e9e1c58b1b72ec687f563b2d4f802f99e65afb12
SHA512 fdf94f4ad2923c1d4245279e1983e1e1ea3d6cc15793b9eedf79daf66ca44c5c4c78c04371b5a752906fe9c6975db36342f6e43ef457f28c67d3c81b8b9e8cab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000068

MD5 67412b247e0ff9363d571537acb61e09
SHA1 e58351674fb43e8fec92c7258ebe25703fc708ad
SHA256 663d61f95733059cd6879a8d5f2fdc8b0a1705a3fd25d0ed013ae8f09e215666
SHA512 b193da22ca7fe981cd8e30107fc5d9b3007b3b91310bea0d41d379bc36421e83396364b5bb78676a3fff2f6909773438889cac231c31eef1d13e62f1b32e59b7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006c

MD5 e688630f33c2bb19a3dcc8638cc8add4
SHA1 d1c63d5727a4c00c4955dfb54bc7840c6dea3645
SHA256 81d1c12fa0fc944e0db257c8f9a23f603029532dc9226a8c416c64e56380db21
SHA512 885c48c8334a6ae4296692bb001470b7d2a04804e1265bd472b990eee3499785e97f5c9a8169a0a850261156492a6c9d56451998cf3e00911afbeb0cbb7a96f2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006e

MD5 ee32983357800a1c73ce1f62da083101
SHA1 467c2215d2bcc003516319be703bf52099303d3d
SHA256 173b1020764ed0b48e21882bb888025edc6560672f29fa3241712bf172e684cd
SHA512 45e9f3fb39f15066ecf6fb2711abc19586f3165c12f7d8adf9503bd51d31a50594e59cd4c02196491f11516b074e105e0409c4fe468e2f89f53582eff8932f3a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000062

MD5 3df01456ef7248b94ac7622830395b82
SHA1 f5c2d24e2e6981c214b731cdc4d10cccd3424c6d
SHA256 74218a640c8bff89436945d4cedf1d5bf213285458c36d626e8970c7149c0f93
SHA512 06ab8af0ad993243a3700282e1a6cb4d9a1ca221a6633359ecb85d32e8125b8344db0cdd757bb8d2b36bd54a53fd40a6e922ffba49fb40a60a50ce0aeb5bfb0c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 3903d87bdc1af93f56356176ba8f9619
SHA1 61b9dfdabf8283603c2264944122b6be8c0aeb9b
SHA256 f24ab980d5fce500e84cdc94e41aceda156cb30e990123ed038c24cfb2a02d6e
SHA512 4c3c871b31ce0ca83cd9fdba4d880abdb77ede50548163707bbee8c54a7bf0d4df69565e0a8546fc6b7dc1715acb11f565ff6f7119afa193b2c2269160b5e789

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 510ae8a071e739d4c1ffdea1dcb0e2fc
SHA1 2b3cbd638b66b61db81fa51b6ac471c85cac40da
SHA256 cd4348de244b09238b860877eea122bd5bd9807082cbd0cb552e34ed6cc359fe
SHA512 3bed59275e79d47e45278aa058ee0811edbe1625abb685e0ed45f93c6d6fec81ca5f8d00032aaa75d367c90e0e8bf07bfa510ef022eeee2eaf5dc6f32500dc14

memory/4352-2997-0x00007FF751B40000-0x00007FF7520E1000-memory.dmp

memory/8492-2998-0x0000000000BA0000-0x0000000000BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 29097552f3215d5c7d5898e9925a2b51
SHA1 9a654712a175c04088e945f3ef312a4bb68db81b
SHA256 375fc629394500e7c92044da9f4dbc24628b51e665382d6776ae06565c0f9ba2
SHA512 18308d798adbd6a5b56a3173198a2d6581451cfb820d794c0bea52742692aab14388f7d57136671082ed10244231aee29ebdb51c9406faebcc3d24523a668090

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\60d7dcf6-da0e-45cd-964a-beae6abf27a4\index-dir\the-real-index

MD5 54c85603cce5fb138c7ad26c6f383795
SHA1 9e8609499fbff789e49ee5b75ded7d28a7e9aa6e
SHA256 65b1689b294925f6ce7d10f19c3a601e727e1074315a755987c3b1c05abae03b
SHA512 bd20cd0786b33be545e33238163158c70e12c4754f1b302620715b6a00cb8b6403e537e8e260419b2c336ec363c1ef25b2df4b9dc155d8a5012e8bf6561a2931

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\60d7dcf6-da0e-45cd-964a-beae6abf27a4\index-dir\the-real-index~RFe5987f3.TMP

MD5 44b78e2296e3ed176ea8960a9df8b279
SHA1 b9f030a1b787b370a1ac9bd14695086d10c51ef5
SHA256 10ec3d8b9a254f2370f0387bd8c4948c81e9f4dc560effffbda712704752a1fd
SHA512 fb69fb0262a296bd712cfbd8d6bef57f69dd93faa6333e4ad65175a9d5bc7cef6f4cb43d23bd77b761a1414abce6c10153e962b82afe09c790105fdcf4cbfab3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 5f9c979515ec57c1dcad1edd033e21c0
SHA1 0a3e40af71d04ece26665fec8340d22ad730728a
SHA256 49e8f3a94d1223bd19e7111d6c65a3d53a9fa970b3aa9b4a77adf9f87562ff9c
SHA512 a258dfb5f010e0c110d7d80febcee66f31be518264d6fc459506b41b3235c1f3710d67c58b9c2d5d4b79be4b74574eed7fa04982e33cb1798d3a25b9d765601d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000050

MD5 9e645b4b23682655733e89ea1e704ea0
SHA1 497a6c5681f09070b68dfa1650629229a86c0ebc
SHA256 f869ac57a67af5981dba5d231f659bd8872d929ff840377cbb06f52702d3b852
SHA512 f2b9571478d2f26cd2d8593d5c8c0fccc525f75b27b0dd24178c945d23b7a23c74ff341bcb55752307d46eab9ef33c93e80f9b7d1b57e01b2ab285cf9365b427

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c7cbcf15a416c05d88334560dd782fe6
SHA1 d034e812a1bd80b170f3410cbc71a7035b7f4125
SHA256 7e6401b7bc0e41a41d35fa5889711ced551cdefabc98e0671404c37bfe5b0739
SHA512 80df661ce4955860b23e190193c43ce2ee892d3e2f33fc3e478f63a3fcbc2297626f2283f9d786fe511a2ad5520248107d23006e30c99d4f936c6845bac4bc18

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 17a15589233675d75288e214290f335e
SHA1 423459e22e93034f2507eb3380afb34580e34cd9
SHA256 aaee3db64bdcbcd4ad48e77690415d995bc3b77ef33c28ed0216cb7d573297e4
SHA512 45668e4eb2297dfa31730f668cd544df2ac7c1649fa5d0d357bbb1833395761afcf64c7ed7884e7cab62de98d1cbcb6bcf0dc5b7093704a4fb47d31c9b8446e3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8e74781f8d870f00b201052b400d75ba
SHA1 bc50650d0ef582f85ba83c6536650cf3d0546a29
SHA256 14ff8ef7f861e850780aa3817d3a0850d72d4db5290f8b6be71e03dfc0c38e89
SHA512 278ccb635473b8441e4f9871498b036eef7e646476e46eec88f28ac9143980f03aa0d76afe263e0d6012a52f0a053f3ab089c4a9a2b15266b41162e157ecdaca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 7451d73a5d86b1af931780ab6a367075
SHA1 43bac4b46fe2e90f2e2451fb7ea95b773056692a
SHA256 2a14513ec53b268402a6c7e99cd0045934879e23f249c6f25b79f192b42763f9
SHA512 37350cbed99be4bfb45278f5c693e2cd914915494324e5cd170b65675162a0d26e0ffceeace6c905385ab20ed510b3c3686cc121f0c7f1535f82849df1338cbf