Malware Analysis Report

2025-06-16 01:30

Sample ID 231031-hytylabc66
Target be7eb8af13a1c509c5e69b2481c1ca0f5d4a3888aaa4adf0f4baac91019ae3c1
SHA256 be7eb8af13a1c509c5e69b2481c1ca0f5d4a3888aaa4adf0f4baac91019ae3c1
Tags
amadey dcrat glupteba raccoon redline sectoprat smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza pixelnew up3 backdoor microsoft paypal collection discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be7eb8af13a1c509c5e69b2481c1ca0f5d4a3888aaa4adf0f4baac91019ae3c1

Threat Level: Known bad

The file be7eb8af13a1c509c5e69b2481c1ca0f5d4a3888aaa4adf0f4baac91019ae3c1 was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba raccoon redline sectoprat smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza pixelnew up3 backdoor microsoft paypal collection discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan

SmokeLoader

RedLine

Detect ZGRat V1

Glupteba

DcRat

Raccoon Stealer payload

ZGRat

SectopRAT

SectopRAT payload

Suspicious use of NtCreateUserProcessOtherParentProcess

Glupteba payload

Raccoon

Amadey

RedLine payload

Modifies Windows Defender Real-time Protection settings

Modifies Windows Firewall

Drops file in Drivers directory

Blocklisted process makes network request

Stops running service(s)

Downloads MZ/PE file

Loads dropped DLL

Windows security modification

Reads user/profile data of web browsers

Executes dropped EXE

Reads local data of messenger clients

Checks computer location settings

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks installed software on the system

Detected potential entity reuse from brand paypal.

Suspicious use of SetThreadContext

Drops file in System32 directory

Detected potential entity reuse from brand microsoft.

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

outlook_office_path

Uses Task Scheduler COM API

Enumerates system info in registry

outlook_win_path

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-31 07:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-31 07:09

Reported

2023-10-31 07:11

Platform

win10v2004-20231020-en

Max time kernel

93s

Max time network

155s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\D5A3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\D5A3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\D5A3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\D5A3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\D5A3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\D5A3.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D6CD.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F538.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\E834.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FBC2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D169.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D235.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zj2hh1DX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cu2YP2IY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hh3tX7wA.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D4F6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TL3Fm1tE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D5A3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D6CD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Lc05TJ6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D8C2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E834.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EA29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EFA9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Nr437kS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F2C6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F538.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F74D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBC2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp N/A
N/A N/A C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\dhjeidu N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe N/A
N/A N/A C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\D5A3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\D5A3.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\F538.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\F538.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\F538.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\F538.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\F538.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hh3tX7wA.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TL3Fm1tE.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\EA29.exe'\"" C:\Users\Admin\AppData\Local\Temp\EA29.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\D169.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zj2hh1DX.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cu2YP2IY.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Detected potential entity reuse from brand microsoft.

phishing microsoft

Detected potential entity reuse from brand paypal.

phishing paypal

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LAudioConverter\is-JBGG2.tmp C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-D78H7.tmp C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-G7550.tmp C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-6RFVT.tmp C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-2CNID.tmp C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\LAudioConverter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Program Files (x86)\LAudioConverter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-OEJQ5.tmp C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-1HP87.tmp C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-KSA7F.tmp C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\XML\Styles\is-CATLN.tmp C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-A5CQJ.tmp C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-K8HL5.tmp C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\XML\Styles\is-NC9N9.tmp C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-8RH9U.tmp C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-HALEF.tmp C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\XML\Styles\is-T73AL.tmp C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D5A3.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F74D.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBC2.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\be7eb8af13a1c509c5e69b2481c1ca0f5d4a3888aaa4adf0f4baac91019ae3c1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1724 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\be7eb8af13a1c509c5e69b2481c1ca0f5d4a3888aaa4adf0f4baac91019ae3c1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1724 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\be7eb8af13a1c509c5e69b2481c1ca0f5d4a3888aaa4adf0f4baac91019ae3c1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1724 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\be7eb8af13a1c509c5e69b2481c1ca0f5d4a3888aaa4adf0f4baac91019ae3c1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1724 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\be7eb8af13a1c509c5e69b2481c1ca0f5d4a3888aaa4adf0f4baac91019ae3c1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1724 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\be7eb8af13a1c509c5e69b2481c1ca0f5d4a3888aaa4adf0f4baac91019ae3c1.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3260 wrote to memory of 1088 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D169.exe
PID 3260 wrote to memory of 1088 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D169.exe
PID 3260 wrote to memory of 1088 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D169.exe
PID 3260 wrote to memory of 1392 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D235.exe
PID 3260 wrote to memory of 1392 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D235.exe
PID 3260 wrote to memory of 1392 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D235.exe
PID 1088 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\D169.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zj2hh1DX.exe
PID 1088 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\D169.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zj2hh1DX.exe
PID 1088 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\D169.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zj2hh1DX.exe
PID 3260 wrote to memory of 4808 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3260 wrote to memory of 4808 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3868 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zj2hh1DX.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cu2YP2IY.exe
PID 3868 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zj2hh1DX.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cu2YP2IY.exe
PID 3868 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zj2hh1DX.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cu2YP2IY.exe
PID 3520 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cu2YP2IY.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hh3tX7wA.exe
PID 3520 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cu2YP2IY.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hh3tX7wA.exe
PID 3520 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cu2YP2IY.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hh3tX7wA.exe
PID 3260 wrote to memory of 1876 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D4F6.exe
PID 3260 wrote to memory of 1876 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D4F6.exe
PID 3260 wrote to memory of 1876 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D4F6.exe
PID 1172 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hh3tX7wA.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TL3Fm1tE.exe
PID 1172 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hh3tX7wA.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TL3Fm1tE.exe
PID 1172 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hh3tX7wA.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TL3Fm1tE.exe
PID 3260 wrote to memory of 4872 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D5A3.exe
PID 3260 wrote to memory of 4872 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D5A3.exe
PID 3260 wrote to memory of 4872 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D5A3.exe
PID 3260 wrote to memory of 3388 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D6CD.exe
PID 3260 wrote to memory of 3388 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D6CD.exe
PID 3260 wrote to memory of 3388 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D6CD.exe
PID 1932 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TL3Fm1tE.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Lc05TJ6.exe
PID 1932 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TL3Fm1tE.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Lc05TJ6.exe
PID 1932 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TL3Fm1tE.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Lc05TJ6.exe
PID 3260 wrote to memory of 4184 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D8C2.exe
PID 3260 wrote to memory of 4184 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D8C2.exe
PID 3260 wrote to memory of 4184 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D8C2.exe
PID 4808 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4808 wrote to memory of 2720 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\D6CD.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3388 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\D6CD.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3388 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\D6CD.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3260 wrote to memory of 3532 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E834.exe
PID 3260 wrote to memory of 3532 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E834.exe
PID 3260 wrote to memory of 3532 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E834.exe
PID 3260 wrote to memory of 1720 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EA29.exe
PID 3260 wrote to memory of 1720 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EA29.exe
PID 3260 wrote to memory of 1720 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EA29.exe
PID 3508 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Lc05TJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3508 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Lc05TJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3508 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Lc05TJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3508 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Lc05TJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3508 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Lc05TJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3508 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Lc05TJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3508 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Lc05TJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3508 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Lc05TJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3508 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Lc05TJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3508 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Lc05TJ6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3260 wrote to memory of 2928 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EFA9.exe
PID 3260 wrote to memory of 2928 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\EFA9.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\F538.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\F538.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\be7eb8af13a1c509c5e69b2481c1ca0f5d4a3888aaa4adf0f4baac91019ae3c1.exe

"C:\Users\Admin\AppData\Local\Temp\be7eb8af13a1c509c5e69b2481c1ca0f5d4a3888aaa4adf0f4baac91019ae3c1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\D169.exe

C:\Users\Admin\AppData\Local\Temp\D169.exe

C:\Users\Admin\AppData\Local\Temp\D235.exe

C:\Users\Admin\AppData\Local\Temp\D235.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zj2hh1DX.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zj2hh1DX.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D37E.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cu2YP2IY.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cu2YP2IY.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hh3tX7wA.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hh3tX7wA.exe

C:\Users\Admin\AppData\Local\Temp\D4F6.exe

C:\Users\Admin\AppData\Local\Temp\D4F6.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TL3Fm1tE.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TL3Fm1tE.exe

C:\Users\Admin\AppData\Local\Temp\D5A3.exe

C:\Users\Admin\AppData\Local\Temp\D5A3.exe

C:\Users\Admin\AppData\Local\Temp\D6CD.exe

C:\Users\Admin\AppData\Local\Temp\D6CD.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Lc05TJ6.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Lc05TJ6.exe

C:\Users\Admin\AppData\Local\Temp\D8C2.exe

C:\Users\Admin\AppData\Local\Temp\D8C2.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\EFA9.exe

C:\Users\Admin\AppData\Local\Temp\EFA9.exe

C:\Users\Admin\AppData\Local\Temp\F2C6.exe

C:\Users\Admin\AppData\Local\Temp\F2C6.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Users\Admin\AppData\Local\Temp\EA29.exe

C:\Users\Admin\AppData\Local\Temp\EA29.exe

C:\Users\Admin\AppData\Local\Temp\E834.exe

C:\Users\Admin\AppData\Local\Temp\E834.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Nr437kS.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Nr437kS.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8b6d846f8,0x7ff8b6d84708,0x7ff8b6d84718

C:\Users\Admin\AppData\Local\Temp\F74D.exe

C:\Users\Admin\AppData\Local\Temp\F74D.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 540

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\FBC2.exe

C:\Users\Admin\AppData\Local\Temp\FBC2.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2012 -ip 2012

C:\Users\Admin\AppData\Local\Temp\F538.exe

C:\Users\Admin\AppData\Local\Temp\F538.exe

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

"C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b6d846f8,0x7ff8b6d84708,0x7ff8b6d84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2860 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:1

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3080 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3064 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3020 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ea7c8244c8" /P "Admin:N"&&CACLS "..\ea7c8244c8" /P "Admin:R" /E&&Exit

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=F2C6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b6d846f8,0x7ff8b6d84708,0x7ff8b6d84718

C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp

"C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp" /SL5="$6011A,2998240,68096,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b6d846f8,0x7ff8b6d84708,0x7ff8b6d84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8b6d846f8,0x7ff8b6d84708,0x7ff8b6d84718

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6120 -ip 6120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=F2C6.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe

"C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "LAC1031-1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/

C:\Users\Admin\AppData\Roaming\dhjeidu

C:\Users\Admin\AppData\Roaming\dhjeidu

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6120 -s 572

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "Utsysc.exe" /P "Admin:N"

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main

C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe

"C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe" -s

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll, Main

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b6d846f8,0x7ff8b6d84708,0x7ff8b6d84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8b6d846f8,0x7ff8b6d84708,0x7ff8b6d84718

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "Utsysc.exe" /P "Admin:R" /E

C:\Windows\system32\tar.exe

tar.exe -cf "C:\Users\Admin\AppData\Local\Temp\350690463354_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=D8C2.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8b6d846f8,0x7ff8b6d84708,0x7ff8b6d84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8b6d846f8,0x7ff8b6d84708,0x7ff8b6d84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8b6d846f8,0x7ff8b6d84708,0x7ff8b6d84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b6d846f8,0x7ff8b6d84708,0x7ff8b6d84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7248 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "..\ea7c8244c8" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\ea7c8244c8" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8036 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=D8C2.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8b6d846f8,0x7ff8b6d84708,0x7ff8b6d84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8268 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8312 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4328 /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8932 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8968 /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9724 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9724 /prefetch:8

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7988 /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,4192952984429630084,13980576482194700060,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7940 /prefetch:8

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "csrss" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "ScheduledUpdate" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
FI 77.91.68.249:80 77.91.68.249 tcp
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
NL 194.169.175.118:80 194.169.175.118 tcp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 118.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
US 149.40.62.171:15666 tcp
US 8.8.8.8:53 171.62.40.149.in-addr.arpa udp
IT 185.196.9.171:80 185.196.9.171 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.237.62.212:443 api.ipify.org tcp
US 8.8.8.8:53 171.9.196.185.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 212.62.237.104.in-addr.arpa udp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 194.49.94.11:80 194.49.94.11 tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 11.94.49.194.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 stim.graspalace.com udp
US 188.114.97.0:80 stim.graspalace.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com udp
US 185.196.8.176:80 185.196.8.176 tcp
US 185.196.8.176:80 185.196.8.176 tcp
US 8.8.8.8:53 57.240.123.52.in-addr.arpa udp
US 8.8.8.8:53 176.8.196.185.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 learn.microsoft.com udp
NL 104.85.2.139:443 learn.microsoft.com tcp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 store.steampowered.com udp
NL 104.85.0.101:443 store.steampowered.com tcp
US 8.8.8.8:53 98.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 139.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 172.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 101.0.85.104.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 13.107.246.67:443 js.monitor.azure.com tcp
US 8.8.8.8:53 67.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 mscom.demdex.net udp
IE 52.211.144.29:443 mscom.demdex.net tcp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
US 8.8.8.8:53 twitter.com udp
US 185.196.8.176:80 185.196.8.176 tcp
US 104.244.42.193:443 twitter.com tcp
US 104.244.42.193:443 twitter.com tcp
US 8.8.8.8:53 29.144.211.52.in-addr.arpa udp
US 8.8.8.8:53 193.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
US 185.196.8.176:80 185.196.8.176 tcp
JP 23.207.106.113:443 steamcommunity.com tcp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 113.106.207.23.in-addr.arpa udp
US 8.8.8.8:53 www.epicgames.com udp
US 3.214.39.91:443 www.epicgames.com tcp
US 3.214.39.91:443 www.epicgames.com tcp
US 8.8.8.8:53 www.paypal.com udp
US 151.101.1.21:443 www.paypal.com tcp
US 151.101.1.21:443 www.paypal.com tcp
US 8.8.8.8:53 190.119.177.108.in-addr.arpa udp
US 8.8.8.8:53 91.39.214.3.in-addr.arpa udp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 130.47.239.18.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 www.paypalobjects.com udp
US 8.8.8.8:53 171.252.72.23.in-addr.arpa udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 8.8.8.8:53 api.twitter.com udp
US 8.8.8.8:53 abs.twimg.com udp
US 8.8.8.8:53 pbs.twimg.com udp
US 20.44.10.123:443 browser.events.data.microsoft.com tcp
US 104.244.42.2:443 api.twitter.com tcp
US 8.8.8.8:53 video.twimg.com udp
NL 199.232.148.159:443 pbs.twimg.com tcp
US 8.8.8.8:53 t.co udp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
NL 199.232.148.158:443 video.twimg.com tcp
US 104.244.42.5:443 t.co tcp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
US 20.44.10.123:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 159.148.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 141.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 158.148.232.199.in-addr.arpa udp
US 8.8.8.8:53 5.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 static.ads-twitter.com udp
NL 199.232.148.157:443 static.ads-twitter.com tcp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 157.148.232.199.in-addr.arpa udp
US 8.8.8.8:53 tracking.epicgames.com udp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 54.82.162.139:443 tracking.epicgames.com tcp
US 18.239.36.105:443 static-assets-prod.unrealengine.com tcp
US 18.239.36.105:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 105.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 139.162.82.54.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
IE 163.70.151.35:443 facebook.com tcp
US 8.8.8.8:53 i.ytimg.com udp
NL 172.217.168.246:443 i.ytimg.com tcp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.151.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 246.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 c.paypal.com udp
US 192.55.233.1:443 tcp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.1.35:443 t.paypal.com tcp
US 8.8.8.8:53 www.recaptcha.net udp
NL 142.250.179.163:443 www.recaptcha.net tcp
US 192.55.233.1:443 tcp
US 8.8.8.8:53 35.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 163.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.paypalobjects.com udp
NL 142.250.179.163:443 www.recaptcha.net udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.28:80 host-host-file8.com tcp
US 8.8.8.8:53 28.26.214.95.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 009ec73d-b369-4389-b5dc-9aa4d08c9d46.uuid.statsexplorer.org udp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 c.paypal.com udp
US 8.8.8.8:53 b.stats.paypal.com udp
US 64.4.245.84:443 b.stats.paypal.com tcp
US 8.8.8.8:53 login.steampowered.com udp
JP 23.207.106.113:443 login.steampowered.com tcp
US 8.8.8.8:53 84.245.4.64.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 dub.stats.paypal.com udp
US 64.4.245.84:443 dub.stats.paypal.com tcp
US 8.8.8.8:53 api.steampowered.com udp
JP 23.207.106.113:443 api.steampowered.com tcp
JP 23.207.106.113:443 api.steampowered.com tcp
US 8.8.8.8:53 sentry.io udp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 35.186.247.156:443 sentry.io tcp
US 18.239.36.73:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 156.247.186.35.in-addr.arpa udp
US 8.8.8.8:53 73.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 c6.paypal.com udp
US 8.8.8.8:53 api.twitter.com udp
US 104.244.42.130:443 api.twitter.com tcp
US 104.244.42.130:443 api.twitter.com tcp
US 8.8.8.8:53 talon-website-prod.ecosec.on.epicgames.com udp
US 104.18.41.136:443 talon-website-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 130.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 136.41.18.104.in-addr.arpa udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 server12.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
IN 172.253.121.127:19302 stun2.l.google.com udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 127.121.253.172.in-addr.arpa udp
BG 185.82.216.108:443 server12.statsexplorer.org tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 talon-service-prod.ecosec.on.epicgames.com udp
US 172.64.146.120:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 172.64.146.120:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 172.64.146.120:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 js.hcaptcha.com udp
US 8.8.8.8:53 120.146.64.172.in-addr.arpa udp
US 104.19.218.90:443 js.hcaptcha.com tcp
US 8.8.8.8:53 nelly-service-prod-cloudfront.ecosec.on.epicgames.com udp
US 18.65.39.18:443 nelly-service-prod-cloudfront.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 90.218.19.104.in-addr.arpa udp
US 8.8.8.8:53 18.39.65.18.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 www.epicgames.com udp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 8.8.8.8:53 nelly-service-prod-cloudflare.ecosec.on.epicgames.com udp
US 104.18.42.25:443 nelly-service-prod-cloudflare.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.250.179.194:443 googleads.g.doubleclick.net tcp
NL 142.250.179.194:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 nelly-service-prod.ecbc.live.use1a.on.epicgames.com udp
US 3.220.71.165:443 nelly-service-prod.ecbc.live.use1a.on.epicgames.com tcp
US 8.8.8.8:53 hcaptcha.com udp
US 8.8.8.8:53 25.42.18.104.in-addr.arpa udp
US 8.8.8.8:53 194.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 165.71.220.3.in-addr.arpa udp
US 8.8.8.8:53 nelly-service-prod-akamai.ecosec.on.epicgames.com udp
NL 2.19.195.241:443 nelly-service-prod-akamai.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 241.195.19.2.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
BG 185.82.216.108:443 server12.statsexplorer.org tcp
US 8.8.8.8:53 rr3---sn-hgn7rn7k.googlevideo.com udp
FR 172.217.130.200:443 rr3---sn-hgn7rn7k.googlevideo.com tcp
FR 172.217.130.200:443 rr3---sn-hgn7rn7k.googlevideo.com tcp
FR 172.217.130.200:443 rr3---sn-hgn7rn7k.googlevideo.com tcp
FR 172.217.130.200:443 rr3---sn-hgn7rn7k.googlevideo.com tcp
US 8.8.8.8:53 nelly-service-prod-fastly.ecosec.on.epicgames.com udp
FR 172.217.130.200:443 rr3---sn-hgn7rn7k.googlevideo.com tcp
FR 172.217.130.200:443 rr3---sn-hgn7rn7k.googlevideo.com tcp
US 151.101.2.132:443 nelly-service-prod-fastly.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 200.130.217.172.in-addr.arpa udp
US 8.8.8.8:53 132.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 51.68.143.81:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 81.143.68.51.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
DE 135.125.238.108:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 108.238.125.135.in-addr.arpa udp
US 8.8.8.8:53 server12.statsexplorer.org udp
BG 185.82.216.108:443 server12.statsexplorer.org tcp
US 8.8.8.8:53 stun1.l.google.com udp
US 142.251.125.127:19302 stun1.l.google.com udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 127.125.251.142.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:443 youtube.com tcp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp

Files

memory/496-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/496-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3260-2-0x0000000002EA0000-0x0000000002EB6000-memory.dmp

memory/496-3-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D169.exe

MD5 eb45ef6bd9971acef80f8e26ec64a079
SHA1 40f686f613a16fd7b3f44f9001b1783cdee945a9
SHA256 f58578468125e15478bc4125f13c9533ab3afe26d373deaf13b96a31e9ad1896
SHA512 dc17f38912c58736692270e044474c05cde9c172dd054edabbfee1e30c4f8e06f36620f6301d700f94980b878e44f490eaa6e08e6ed72cdd2d5fd075f4667e54

C:\Users\Admin\AppData\Local\Temp\D169.exe

MD5 eb45ef6bd9971acef80f8e26ec64a079
SHA1 40f686f613a16fd7b3f44f9001b1783cdee945a9
SHA256 f58578468125e15478bc4125f13c9533ab3afe26d373deaf13b96a31e9ad1896
SHA512 dc17f38912c58736692270e044474c05cde9c172dd054edabbfee1e30c4f8e06f36620f6301d700f94980b878e44f490eaa6e08e6ed72cdd2d5fd075f4667e54

C:\Users\Admin\AppData\Local\Temp\D235.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\D235.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zj2hh1DX.exe

MD5 c6c204620d2f12581ede279d86e46d6f
SHA1 631584bbedaded6d819ac233aeeb4546206886d8
SHA256 c6aaf05ed9dd1cc3cc94b5a69b5892e4c79bdc1d11d4fedac384641a2e7a5c32
SHA512 5043c28652d8fc5c52762c4d30ad575455600155cbd6d29353f514f670d7674248c1802ad93850db289383ada5dba4436518f1ffb4bc2c38562b65f6ef507531

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zj2hh1DX.exe

MD5 c6c204620d2f12581ede279d86e46d6f
SHA1 631584bbedaded6d819ac233aeeb4546206886d8
SHA256 c6aaf05ed9dd1cc3cc94b5a69b5892e4c79bdc1d11d4fedac384641a2e7a5c32
SHA512 5043c28652d8fc5c52762c4d30ad575455600155cbd6d29353f514f670d7674248c1802ad93850db289383ada5dba4436518f1ffb4bc2c38562b65f6ef507531

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cu2YP2IY.exe

MD5 ebad7922673f6fd1b3aac29c133497e1
SHA1 948ac9f49afb28990c33c919245ed138b7789096
SHA256 c7204f9d7c1b2359a4a7d421425ca36f550759d94928dadd4f530ddde563d64f
SHA512 1d5845d721069b5e86227c3c491e6ff0bcd3afb5fc9857965790a4d7b72709528f5bb632efd4618094bd2ac6555607d5e121c5fc77655f9145b324b909265496

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Cu2YP2IY.exe

MD5 ebad7922673f6fd1b3aac29c133497e1
SHA1 948ac9f49afb28990c33c919245ed138b7789096
SHA256 c7204f9d7c1b2359a4a7d421425ca36f550759d94928dadd4f530ddde563d64f
SHA512 1d5845d721069b5e86227c3c491e6ff0bcd3afb5fc9857965790a4d7b72709528f5bb632efd4618094bd2ac6555607d5e121c5fc77655f9145b324b909265496

C:\Users\Admin\AppData\Local\Temp\D37E.bat

MD5 e79bae3b03e1bff746f952a0366e73ba
SHA1 5f547786c869ce7abc049869182283fa09f38b1d
SHA256 900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63
SHA512 c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hh3tX7wA.exe

MD5 f4ea86adf74cfd4afca91a9960c00a6f
SHA1 ce3e6d3ca609a660440dd5a42218432689475ef5
SHA256 a02aa803908c8056cd585ef89bccc9e4fee956b10881d9e1ea115fa0f05f36e5
SHA512 c5edea93c84206314b323f8b1891e0abcb8ad8384b45140860db31b38a829c0e97bebdb79eb2a8bfe2afffd828d325d0693009813fd41c3ae7f9db57b114a08b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Hh3tX7wA.exe

MD5 f4ea86adf74cfd4afca91a9960c00a6f
SHA1 ce3e6d3ca609a660440dd5a42218432689475ef5
SHA256 a02aa803908c8056cd585ef89bccc9e4fee956b10881d9e1ea115fa0f05f36e5
SHA512 c5edea93c84206314b323f8b1891e0abcb8ad8384b45140860db31b38a829c0e97bebdb79eb2a8bfe2afffd828d325d0693009813fd41c3ae7f9db57b114a08b

C:\Users\Admin\AppData\Local\Temp\D4F6.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\D5A3.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\D5A3.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TL3Fm1tE.exe

MD5 2fbe68a27108ae4ba4d6b87d5f0668b0
SHA1 ae3e5c96dbfa4a740ef3af20f018f68ba5288dfe
SHA256 1e846114747caf60e457d10d1900533d615b1c6b4fe8aa0cb9fdc2e03784b1a9
SHA512 e6325b962772917a290e0d8ea8984d521b5f8ecaf3fe772cf5fad3fd416b161f264e5270a25bc6c5fb3439ce8ac4a4192997f2de1c3c76b420a3d283d245cfed

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\TL3Fm1tE.exe

MD5 2fbe68a27108ae4ba4d6b87d5f0668b0
SHA1 ae3e5c96dbfa4a740ef3af20f018f68ba5288dfe
SHA256 1e846114747caf60e457d10d1900533d615b1c6b4fe8aa0cb9fdc2e03784b1a9
SHA512 e6325b962772917a290e0d8ea8984d521b5f8ecaf3fe772cf5fad3fd416b161f264e5270a25bc6c5fb3439ce8ac4a4192997f2de1c3c76b420a3d283d245cfed

C:\Users\Admin\AppData\Local\Temp\D4F6.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\D6CD.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\D6CD.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Lc05TJ6.exe

MD5 73014b13ec731a1ca3c6d55b8e364adc
SHA1 ac1860f70b5ee4eb1118e35a81bda449db200138
SHA256 e198e92a85e5ea4d29d04ce986af99c0b951190a53bba9e1b975e4dadaf64c0d
SHA512 191ee09e2aeafecca3ca503ccd3778a0cb18aabcecbd5e7b843ac6348a14629a34076c26c0427d04af12a642f1d1fa31577eb3b5e2652507e66f7a36ad0667f3

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Lc05TJ6.exe

MD5 73014b13ec731a1ca3c6d55b8e364adc
SHA1 ac1860f70b5ee4eb1118e35a81bda449db200138
SHA256 e198e92a85e5ea4d29d04ce986af99c0b951190a53bba9e1b975e4dadaf64c0d
SHA512 191ee09e2aeafecca3ca503ccd3778a0cb18aabcecbd5e7b843ac6348a14629a34076c26c0427d04af12a642f1d1fa31577eb3b5e2652507e66f7a36ad0667f3

memory/4872-74-0x00000000738E0000-0x0000000074090000-memory.dmp

memory/3260-73-0x0000000003530000-0x0000000003540000-memory.dmp

memory/3260-77-0x0000000003530000-0x0000000003540000-memory.dmp

memory/1876-78-0x00000000738E0000-0x0000000074090000-memory.dmp

memory/3260-79-0x0000000003530000-0x0000000003540000-memory.dmp

memory/3260-80-0x0000000003540000-0x0000000003550000-memory.dmp

memory/3260-82-0x0000000003530000-0x0000000003540000-memory.dmp

memory/3260-90-0x0000000003530000-0x0000000003540000-memory.dmp

memory/3260-85-0x0000000003530000-0x0000000003540000-memory.dmp

memory/1876-84-0x00000000072E0000-0x0000000007884000-memory.dmp

memory/3260-94-0x0000000003530000-0x0000000003540000-memory.dmp

memory/3260-95-0x0000000007850000-0x0000000007860000-memory.dmp

memory/1876-88-0x0000000006E10000-0x0000000006EA2000-memory.dmp

memory/1876-76-0x0000000000090000-0x00000000000CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D8C2.exe

MD5 e506a24a96ce9409425a4b1761374bb1
SHA1 27455f1cd65d796ba50397f06aa4961b7799e98a
SHA256 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
SHA512 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612

memory/4872-70-0x0000000000830000-0x000000000083A000-memory.dmp

memory/4872-98-0x00000000738E0000-0x0000000074090000-memory.dmp

memory/3260-102-0x0000000007850000-0x0000000007860000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E834.exe

MD5 f99fa1c0d1313b7a5dc32cd58564671d
SHA1 0e3ada17305b7478bb456f5ad5eb73a400a78683
SHA256 8a964d8fb52489ba9086bf0ab5cf8ca7822fe698d03e5e6d5174640f52b8c5ee
SHA512 bbee03761f2ffe4ab99d3e2dd02f49460b1100583ceb0e06f2765eff776d3167880a8dbbb8079c659d39fc3cc8e24dfdd8395ced3eeb6a13ef598ba8b9269a25

C:\Users\Admin\AppData\Local\Temp\E834.exe

MD5 f99fa1c0d1313b7a5dc32cd58564671d
SHA1 0e3ada17305b7478bb456f5ad5eb73a400a78683
SHA256 8a964d8fb52489ba9086bf0ab5cf8ca7822fe698d03e5e6d5174640f52b8c5ee
SHA512 bbee03761f2ffe4ab99d3e2dd02f49460b1100583ceb0e06f2765eff776d3167880a8dbbb8079c659d39fc3cc8e24dfdd8395ced3eeb6a13ef598ba8b9269a25

memory/3532-120-0x0000000000950000-0x0000000001334000-memory.dmp

memory/1876-122-0x0000000007EB0000-0x00000000084C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EFA9.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

C:\Users\Admin\AppData\Local\Temp\EFA9.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

memory/2012-132-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2012-127-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3532-131-0x00000000738E0000-0x0000000074090000-memory.dmp

memory/3260-130-0x0000000003530000-0x0000000003540000-memory.dmp

memory/3260-125-0x0000000003530000-0x0000000003540000-memory.dmp

memory/1876-124-0x0000000007890000-0x000000000799A000-memory.dmp

memory/1876-123-0x00000000738E0000-0x0000000074090000-memory.dmp

memory/4184-121-0x0000000000400000-0x0000000000480000-memory.dmp

memory/3260-119-0x0000000003530000-0x0000000003540000-memory.dmp

memory/3260-118-0x0000000003530000-0x0000000003540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EA29.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\EA29.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/3260-112-0x0000000003530000-0x0000000003540000-memory.dmp

memory/3260-108-0x0000000003530000-0x0000000003540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/3260-101-0x0000000003530000-0x0000000003540000-memory.dmp

memory/1876-100-0x0000000006EC0000-0x0000000006ECA000-memory.dmp

memory/3260-97-0x0000000003530000-0x0000000003540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D8C2.exe

MD5 e506a24a96ce9409425a4b1761374bb1
SHA1 27455f1cd65d796ba50397f06aa4961b7799e98a
SHA256 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
SHA512 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612

memory/1876-143-0x0000000007130000-0x000000000716C000-memory.dmp

memory/2928-147-0x0000000000460000-0x0000000000840000-memory.dmp

memory/2012-137-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3260-140-0x0000000003530000-0x0000000003540000-memory.dmp

memory/1876-136-0x0000000007090000-0x00000000070A2000-memory.dmp

memory/3260-135-0x0000000003530000-0x0000000003540000-memory.dmp

memory/4184-139-0x0000000000560000-0x00000000005BA000-memory.dmp

memory/2928-158-0x0000000005130000-0x00000000051CC000-memory.dmp

memory/1876-156-0x0000000007170000-0x00000000071BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F538.exe

MD5 993c85b5b1c94bfa3b7f45117f567d09
SHA1 cb704e8d65621437f15a21be41c1169987b913de
SHA256 cb6c640fbc6289b261bca0ee881bfcc8c4df2e89baaab7a4fed4e0e3b0dc9d37
SHA512 182d6cb6f3e6618375e8e793c6ce5d3c73da8183d4acad8bad60f35242c264260423e22a68ea64022c9c0c61b226edc4dd3791e6947e42c418355baa623e1f24

memory/2928-165-0x00000000738E0000-0x0000000074090000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F74D.exe

MD5 463d1200107d98891f04dbbeece19716
SHA1 03a4071c18909714676b4c85e2b960782a0e7d29
SHA256 e38d2e806efa284c129eca4aff2e81c6cc43f969c5603c2d48efda1a333746e6
SHA512 7b257d1f9bc8bef6879f70786eb5580241c1c0e77a458a6d28eaf8ab1571a054ffaf60f9e485ee9890e14abbc7fb9e9e84627dd9c9a224b24c5cd6041a9d4922

C:\Users\Admin\AppData\Local\Temp\F2C6.exe

MD5 358dc0342427670dcd75c2542bcb7e56
SHA1 5b70d6eb8d76847b6d3902f25e898c162b2ba569
SHA256 45d1df2aa5755f65a6710f2a4652bedc72f099ff53cb69301aac9a5518276e60
SHA512 2fff83f04c11e8e99817b9a9c173d29d9d4169805872706dd765a1891157960a7e46cd30a40cedd43de5521d96070a67f6eaea18c53d796c294b386bc5b356e5

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

memory/3620-175-0x0000000007A70000-0x0000000007A80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

memory/2464-186-0x0000000000400000-0x0000000000461000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F74D.exe

MD5 463d1200107d98891f04dbbeece19716
SHA1 03a4071c18909714676b4c85e2b960782a0e7d29
SHA256 e38d2e806efa284c129eca4aff2e81c6cc43f969c5603c2d48efda1a333746e6
SHA512 7b257d1f9bc8bef6879f70786eb5580241c1c0e77a458a6d28eaf8ab1571a054ffaf60f9e485ee9890e14abbc7fb9e9e84627dd9c9a224b24c5cd6041a9d4922

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

memory/2452-192-0x0000000000420000-0x000000000043E000-memory.dmp

memory/2452-200-0x00000000738E0000-0x0000000074090000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

memory/2464-190-0x0000000000590000-0x00000000005CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FBC2.exe

MD5 b6d627dcf04d04889b1f01a14ec12405
SHA1 f7292c3d6f2003947cc5455b41df5f8fbd14df14
SHA256 9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf
SHA512 1eef46fcb568049edad6a6dac0ce6532185f15d2b4f9939853226a4f24e0732f637951c98f580efdb98ef396d3f4d9846bccffa22c0309b455432c98292af937

C:\Users\Admin\AppData\Local\Temp\FBC2.exe

MD5 b6d627dcf04d04889b1f01a14ec12405
SHA1 f7292c3d6f2003947cc5455b41df5f8fbd14df14
SHA256 9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf
SHA512 1eef46fcb568049edad6a6dac0ce6532185f15d2b4f9939853226a4f24e0732f637951c98f580efdb98ef396d3f4d9846bccffa22c0309b455432c98292af937

C:\Users\Admin\AppData\Local\Temp\F538.exe

MD5 993c85b5b1c94bfa3b7f45117f567d09
SHA1 cb704e8d65621437f15a21be41c1169987b913de
SHA256 cb6c640fbc6289b261bca0ee881bfcc8c4df2e89baaab7a4fed4e0e3b0dc9d37
SHA512 182d6cb6f3e6618375e8e793c6ce5d3c73da8183d4acad8bad60f35242c264260423e22a68ea64022c9c0c61b226edc4dd3791e6947e42c418355baa623e1f24

memory/3620-162-0x00000000738E0000-0x0000000074090000-memory.dmp

memory/3620-161-0x0000000000C80000-0x0000000000CBE000-memory.dmp

memory/3260-155-0x0000000003530000-0x0000000003540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F2C6.exe

MD5 358dc0342427670dcd75c2542bcb7e56
SHA1 5b70d6eb8d76847b6d3902f25e898c162b2ba569
SHA256 45d1df2aa5755f65a6710f2a4652bedc72f099ff53cb69301aac9a5518276e60
SHA512 2fff83f04c11e8e99817b9a9c173d29d9d4169805872706dd765a1891157960a7e46cd30a40cedd43de5521d96070a67f6eaea18c53d796c294b386bc5b356e5

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Nr437kS.exe

MD5 9f183003e25e4d7670b2e331f59d3733
SHA1 629ec86281d508bdd31e4795c6f94c1e1b51b20e
SHA256 3006f3e973a25ee1415d5228f067ea9a98e7026aa2551eadf17cd051ec11cd30
SHA512 8e7f989c472c4bd70279ad57a8840aff0227eeae16816151018ceab09a4a6aa8132dd8a985b77ebcef61cf4aca8a1a341fd2f006ef2ae032fad89b23d6b66d2f

memory/2012-150-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3260-148-0x0000000003530000-0x0000000003540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2Nr437kS.exe

MD5 9f183003e25e4d7670b2e331f59d3733
SHA1 629ec86281d508bdd31e4795c6f94c1e1b51b20e
SHA256 3006f3e973a25ee1415d5228f067ea9a98e7026aa2551eadf17cd051ec11cd30
SHA512 8e7f989c472c4bd70279ad57a8840aff0227eeae16816151018ceab09a4a6aa8132dd8a985b77ebcef61cf4aca8a1a341fd2f006ef2ae032fad89b23d6b66d2f

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

MD5 b6d627dcf04d04889b1f01a14ec12405
SHA1 f7292c3d6f2003947cc5455b41df5f8fbd14df14
SHA256 9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf
SHA512 1eef46fcb568049edad6a6dac0ce6532185f15d2b4f9939853226a4f24e0732f637951c98f580efdb98ef396d3f4d9846bccffa22c0309b455432c98292af937

memory/2452-218-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

memory/4480-223-0x0000000000DE0000-0x0000000000DE8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/4872-232-0x00000000738E0000-0x0000000074090000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

MD5 b6d627dcf04d04889b1f01a14ec12405
SHA1 f7292c3d6f2003947cc5455b41df5f8fbd14df14
SHA256 9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf
SHA512 1eef46fcb568049edad6a6dac0ce6532185f15d2b4f9939853226a4f24e0732f637951c98f580efdb98ef396d3f4d9846bccffa22c0309b455432c98292af937

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

MD5 b6d627dcf04d04889b1f01a14ec12405
SHA1 f7292c3d6f2003947cc5455b41df5f8fbd14df14
SHA256 9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf
SHA512 1eef46fcb568049edad6a6dac0ce6532185f15d2b4f9939853226a4f24e0732f637951c98f580efdb98ef396d3f4d9846bccffa22c0309b455432c98292af937

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/3532-239-0x00000000738E0000-0x0000000074090000-memory.dmp

memory/3260-231-0x0000000007850000-0x0000000007860000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/4480-228-0x00007FF8B51C0000-0x00007FF8B5C81000-memory.dmp

memory/4184-240-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 64213bb27dc75b8130704ac22279e854
SHA1 d27b01829bb1200d38ef023d0d222d379fcdbe80
SHA256 a358498c64c41b6cd7e0580373d140c89eda74a7f041eb9004689ae15dc55b4c
SHA512 00d57ebd7d9201330f749f995c15c758f4b40eb9cd650afc43bb7444f00e0a5da29bb724fa4bfa64b61dceaf73749999fe08ee69832b372418e64e4510a4245f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

\??\pipe\LOCAL\crashpad_2720_WRFYAJOWUOLAKFLS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3620-278-0x00000000738E0000-0x0000000074090000-memory.dmp

memory/3260-291-0x0000000003500000-0x0000000003510000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 8086472cdf9d210dd9e9bcc31f0e2e2b
SHA1 1a1c2a93ca77136391614ab49eeda94862c5a811
SHA256 07f571086e8ce3edfa26288b2d658facd94f09fd4bd923309306050b51264477
SHA512 be6df62703b024c4e62c33be241aa22815df7b5bca36592cf6455d4de3f90edac9f1f79815a4ccc3d236e2fe578f0e381bff0ef6747d0afc80679a3972cd1e45

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

memory/5632-306-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5632-308-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2928-307-0x0000000002A70000-0x0000000002A7A000-memory.dmp

memory/4676-302-0x0000000000910000-0x0000000000919000-memory.dmp

memory/5624-301-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 8086472cdf9d210dd9e9bcc31f0e2e2b
SHA1 1a1c2a93ca77136391614ab49eeda94862c5a811
SHA256 07f571086e8ce3edfa26288b2d658facd94f09fd4bd923309306050b51264477
SHA512 be6df62703b024c4e62c33be241aa22815df7b5bca36592cf6455d4de3f90edac9f1f79815a4ccc3d236e2fe578f0e381bff0ef6747d0afc80679a3972cd1e45

memory/5632-298-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4676-297-0x0000000000B00000-0x0000000000C00000-memory.dmp

memory/2928-295-0x00000000738E0000-0x0000000074090000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 8086472cdf9d210dd9e9bcc31f0e2e2b
SHA1 1a1c2a93ca77136391614ab49eeda94862c5a811
SHA256 07f571086e8ce3edfa26288b2d658facd94f09fd4bd923309306050b51264477
SHA512 be6df62703b024c4e62c33be241aa22815df7b5bca36592cf6455d4de3f90edac9f1f79815a4ccc3d236e2fe578f0e381bff0ef6747d0afc80679a3972cd1e45

memory/4480-311-0x00007FF8B51C0000-0x00007FF8B5C81000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp

MD5 76a0e9b1e8b487085d3eedf0ba8d1062
SHA1 d353c3c584127c0db9d7d0b04d776be5920dd0bb
SHA256 25a8b697629d47fdf66c7815130fb119c9f2b6aabaf17a4851f059a565b71258
SHA512 3c7e0ce15f515c87a7b228831fc01c578d69070abef88af526aeefe5493561e4ab94372e2bffff5016407f13185f733078f6893a7ed9117369e179ba140ea020

C:\Users\Admin\AppData\Local\Temp\350690463354

MD5 6f2d970c80fc5d41bdf04669446c28d0
SHA1 96101da2b8818a36019d9bc7e22604c81a2db919
SHA256 fd87c77c6235bce09c84149faab0b5e13554fc15d884e6d8c9b0dcab04129c02
SHA512 4217ac233864ea7664b3fc4c266d1f06a4f92662c22ec94fe8069170d1301188bf663d2940f182efc4f67cc71160dc908bf325f6037068ba7444bd087c7f0980

memory/2464-323-0x0000000000400000-0x0000000000461000-memory.dmp

memory/2928-330-0x0000000005330000-0x0000000005340000-memory.dmp

memory/2928-344-0x0000000005340000-0x0000000005350000-memory.dmp

memory/3008-328-0x00000000029C0000-0x0000000002DBF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/3008-347-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/6120-390-0x0000000000400000-0x000000000041B000-memory.dmp

C:\ProgramData\CoreArchive\CoreArchive.exe

MD5 375326eaed812c2a6e558b2253dc60a3
SHA1 cb7bca9b86b5cd6e272933b1b4d1a808e7cf3fec
SHA256 b6474f6e3b46565b400f91b34d07ce091c30a940d5a4279fa4d91b9a990e5ca8
SHA512 6794172bdfc1a017af987da84c31eb18c2b5f74772788b79a6c80f7b4d718f1ae3785476b8be4001a13846847246ad18e8e845b3a04a8be9d6c71985f558c012

memory/3524-405-0x0000000000400000-0x0000000000611000-memory.dmp

memory/3524-399-0x0000000000400000-0x0000000000611000-memory.dmp

memory/3884-411-0x00007FF799910000-0x00007FF799EB1000-memory.dmp

memory/6120-385-0x0000000000400000-0x000000000041B000-memory.dmp

memory/6120-348-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll

MD5 1c27631e70908879e1a5a8f3686e0d46
SHA1 31da82b122b08bb2b1e6d0c904993d6d599dc93a
SHA256 478aa272d465eaa49c2f12fc141af2c0581f569ccf67f628747d90cc03a1e6a9
SHA512 7230ccad5e910f4f1aafb26642670c227a5d6e30f9c3de9a111e9c471651e54e352c56f34093667e6a51e78d01f3271c5e9d3248de5e1e82ae0e5d2aaea977dd

memory/2928-314-0x0000000005350000-0x00000000054E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-5NJRF.tmp\LzmwAqmV.tmp

MD5 76a0e9b1e8b487085d3eedf0ba8d1062
SHA1 d353c3c584127c0db9d7d0b04d776be5920dd0bb
SHA256 25a8b697629d47fdf66c7815130fb119c9f2b6aabaf17a4851f059a565b71258
SHA512 3c7e0ce15f515c87a7b228831fc01c578d69070abef88af526aeefe5493561e4ab94372e2bffff5016407f13185f733078f6893a7ed9117369e179ba140ea020

memory/2928-309-0x0000000002A90000-0x0000000002A98000-memory.dmp

memory/5632-428-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3260-427-0x0000000003200000-0x0000000003216000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 343f27e79cb9afba7e0a800e78a8385a
SHA1 a2bfe0dd169a967322b1a480143beb1aa3e36612
SHA256 b6258736f0c1b6b1c80cfd8d5d964eb68fc0482a664f208fb83eb918c2f09e01
SHA512 7f44a33bd8a8fe0283ac37633eb490fc7b854ff371c7e6c27adc4c04435a4da975bb37ee9aeaab5827f30b4a5f1d22be2f7189f853a3f9185dc4f90c3cd20191

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9892d186b250863edc0d8c1a5568f20a
SHA1 e6e56698f3d47ee6203f93c34b05ba407496f46c
SHA256 7af816f64cd1d91f14a924bb7c01e6bbd42913618fec4c0a3d7deb8ca884eaef
SHA512 18ab7c5a7975761a3b9db2fd798f321bf71024a92fab95cdcc0c262fbbd72f3feb592fedb3e5d7d44f16d193d2d53ef171d5976bfdaafc0254ca1e357d22b6a3

C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll

MD5 ceffd8c6661b875b67ca5e4540950d8b
SHA1 91b53b79c98f22d0b8e204e11671d78efca48682
SHA256 da0bf5520986c2fb92fa9658ee2fcbb07ee531e09f901f299722c0d14e994ed2
SHA512 6f78e3479c7b80cee0c2cea33a5b3e06c65b3e85a558f2df4b72211f714b81a2549daed0bc7ffe1456867b447ede9caeec73a6c4d2b345aad664d501212d07d4

C:\Users\Admin\AppData\Local\Temp\tmp3F95.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

memory/5624-476-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp46BF.tmp

MD5 aeb9754f2b16a25ed0bd9742f00cddf5
SHA1 ef96e9173c3f742c4efbc3d77605b85470115e65
SHA256 df20bc98e43d13f417cd68d31d7550a1febdeaf335230b8a6a91669d3e69d005
SHA512 725662143a3ef985f28e43cc2775e798c8420a6d115fb9506fdfcc283fc67054149e22c6bc0470d1627426c9a33c7174cefd8dc9756bf2f5fc37734d5fcecc75

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 1c706d53e85fb5321a8396d197051531
SHA1 0d92aa8524fb1d47e7ee5d614e58a398c06141a4
SHA256 80c44553381f37e930f1c82a1dc2e77acd7b955ec0dc99d090d5bd6b32c3c932
SHA512 d43867392c553d4afffa45a1b87a74e819964011fb1226ee54e23a98fc63ca80e266730cec6796a2afa435b1ea28aed72c55eae1ae5d31ec778f53be3e2162fc

C:\Users\Admin\AppData\Local\Temp\tmp477D.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\tmp4768.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp47DD.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Temp\tmp4793.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

memory/5800-673-0x0000000000400000-0x00000000004BE000-memory.dmp

memory/3008-679-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0q5xaux2.opl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/5964-774-0x0000000000400000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 89fbc15e4ee80acaf37d55e5a39ed5a4
SHA1 05b1d834edc5bb8fbc964b21fafa2fa6ec31902f
SHA256 1e967e6e17703e294795532fac9116271ffef175c0442e8fa4dc0564ddf5c300
SHA512 b385ab7148bd3bb378e38c9ec62e7de84070d03938bfbd1245ef5c05cd3ec2e4bb332cab562ec9d177854649ac2cbb54ece42765dd2aa32c62d0fd81f1287490

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 700ccab490f0153b910b5b6759c0ea82
SHA1 17b5b0178abcd7c2f13700e8d74c2a8c8a95792a
SHA256 9aa923557c6792b15d8a80dd842f344c0a18076d7853dd59d6fd5d51435c7876
SHA512 0fec3d9549c117a0cb619cc4b13c1c69010cafceefcca891b33f4718c8d28395e8ab46cc308fbc57268d293921b07fabaf4903239091cee04243890f2010447f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

MD5 e51f388b62281af5b4a9193cce419941
SHA1 364f3d737462b7fd063107fe2c580fdb9781a45a
SHA256 348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c
SHA512 1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 e88dc4f7ebee3966fcefeadc6ba6dc46
SHA1 067971ef5c2a9b8d39241007f0aa89f2a86f80c1
SHA256 5309c1172cf3771092875881f46bf6023cd18c2eaaa8098ffa7f6ef3c4f2d8e5
SHA512 b76c8c5edafb2ee316ba8da434e77e66a56c99bdc29a55ff842f540325e54be211581c3797af2b6ede929c87f89f3bd69ae3c1ea17ab5de2389ef96c0e9bba20

memory/3008-895-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 9ccf99218c070af5e05a0c0e263711b1
SHA1 715d973b95d0b0a5216005b26fa37cced0880493
SHA256 5d11273c11ca40bc38466aeb926347630bcc6981aeb2441f33d17e36f9589de1
SHA512 17a7cbd05dfb6dc4df4991d449966bc02d2ad4ef6091b4fbd9b1fd18abfefd35f02e9b8c641a2ae426c704223cd0445473b3705dd8e62c2eda9d3d9a081046a3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

MD5 34504ed4414852e907ecc19528c2a9f0
SHA1 0694ca8841b146adcaf21c84dedc1b14e0a70646
SHA256 c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810
SHA512 173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

MD5 522037f008e03c9448ae0aaaf09e93cb
SHA1 8a32997eab79246beed5a37db0c92fbfb006bef2
SHA256 983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7
SHA512 643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

MD5 240c4cc15d9fd65405bb642ab81be615
SHA1 5a66783fe5dd932082f40811ae0769526874bfd3
SHA256 030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07
SHA512 267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d9eaf5336939bf47acb7bf00a5f736cd
SHA1 7f10095b84b86e10e085f84b2033b17cf5a822ee
SHA256 1269df19e1b07d4a57f77db5da32baeb1f951cf587678f94e0fc52c7f9ae6166
SHA512 9652428beec9e57a7aad97ce43270eef08c07aa43db700fdbc65ab6bc00906d5c2d0f4f9d54141d5c103a1f889737caa2494f48f9ff494ec58bbe0f44f1a58f7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

MD5 1b5b34f4d0f646e927d94bba3af86c68
SHA1 3f291ff643e89550ea2ce210b05b3667f1a079e5
SHA256 244781d8f4c5a0bb7bb11ce757bcec15c17aad4be10de5f4671d7903db194a0d
SHA512 103a8f4e63d3521c414890a549a8f9e3ac765c540c02114a334f4596f14114ed89c91cfb7ba243f6b690a85f9df5ff3c9c9190a10e7a53919decd5feba37150a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0ec1b0c28bda8fd0b1b6b613e53bf083
SHA1 76aaa498e0f48953debc5cae1f1b6bb73379f9e4
SHA256 b0da643347f941dbec8215bd0e17644c5dd86989243bbe4632463d58ec8a2814
SHA512 f97f4e005a33e30700091653137d1382641d7c507b2f0cd722b6ab9aa89050e1b11f1d7014b2ee6e47792d61037a7f9810f89fd224e38cc89a53a52929ef0997

memory/3884-1093-0x00007FF799910000-0x00007FF799EB1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f66c0ace8174eed4c47dc10c9bb66d0e
SHA1 9e6457309b9f695a49999a5d27a24de8648cfa95
SHA256 06924de4d94173376805aa94d1b7ca842b14aeffb317d2f0a922357f602670e2
SHA512 7833522d30511d473252bca14d0bf44a088cefe1a9d882248518ba28b5ad29005fae397d4aa330f33ac969f3ee9d397c6d924d61db1b2fc4814306c5f2623521

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 b364a4426da23f1e41f07c305b36b041
SHA1 8774eac86dd33696d85d6931d8a1a900a20a910f
SHA256 8a900530611bddc89ba47a4243ae5ae159a9c5406fbe4d9664c459c12e0deebf
SHA512 04a9e2f8794d89f39e091bbbb5a67d430eff4d8dfdac983854f87fb80efc716ee7f4a50e96519d2347bfb2a5501195c346bf101c4e7e8f582092bc8059492c56

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f66f7b5692ee736060c349816f4064ca
SHA1 5651ee25f6e8a2bf7a03dc05d0e842e043299147
SHA256 537116c58ccd2004323e24aaea7f344e28c955adf5fc755d3ba6ececd372cebe
SHA512 2a218af817311e0d753264576078e9d92205398eeb3b9fcb2f6968ae90b2d11cae453a96c0f2ca83e78f6bbe7e4db825e25391b46761f8cd98de7bbfcfa80211

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 726fe058e637b608cbce2ea39a0e6581
SHA1 dce05b75e9752b1ac1960003dca25147aa59f169
SHA256 1894d76186b64d1b70ab544c42dff059b6db3ef515ceb8a9146c714fa2188f79
SHA512 38e50017cbf245e4ae7997c97987219de7776b20bb125fe79be1b5621c023c2b0b07291306a8d3070b3316b91a0e94e680d215e1786fd604bdeaaf4ec1461951

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9027bbe11c62dcd5d3dd8e557499fd2e
SHA1 471459aba505a337c74760571230c314d585cbc7
SHA256 e79f3391f0fb8558c417080be1bacda9b3075bfe30970b9f522184d93b2d0339
SHA512 2123ba61186e900672c32769914dcd6f6cd1719535580037a59837c672cd777fef4f6b98bea1403e79d687c76cb7390c032d373c04714961872d3935afbc6d24

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

MD5 7e2a819601bdb18df91d434ca4d95976
SHA1 94c8d876f9e835b82211d1851314c43987290654
SHA256 7da655bf7ac66562215c863212e7225e1d3485e47e4c2d3c09faac7f78999db1
SHA512 1ca1d95cc91cb06a22b8d30a970c254e334db7ff6bad255333bac2adc83c98735ec9c43bccf9c46514664d449a43d2586d38a45970338655244e754d2a87a83e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004f

MD5 990324ce59f0281c7b36fb9889e8887f
SHA1 35abc926cbea649385d104b1fd2963055454bf27
SHA256 67bcedd3040fc55d968bbe21df05c02b731181541aff4ae72b9205300a4a3ecc
SHA512 31e83da1ac217d25be6e7f35a041881b926f731fff69db6f144e4fe99b696a31f9ab7766ca22cf5a482743c2a2d00a699ca2c2d67837a86c471a2dd3bed9ea1f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

MD5 9dde60482197e9ed51b9ade08935c578
SHA1 078ac9e47f455b2e1a624281e00616b0efd85204
SHA256 db4f3622f69e0c1ae867d6fc0d0ef1256b515a93ede033006e0ad0f03f3eb24e
SHA512 1dedf96fcc75d0af21590e7d13b2b44293af4e6d4e1080adb022e32799074c612b058d777e94a35bf552b73a518c1bceb6f0b4fa4d1387cf29e7ce7655182316

C:\Users\Admin\AppData\Local\Temp\350690463354

MD5 b0710e625b9f69752cadcebdce13a541
SHA1 8d6a05d34ed85f7eefd2fe37b3bc5e863562aa12
SHA256 0613ed582cb559ba6812bda1dc00c337e25a6796a2deca62d5a95f7f50ab6312
SHA512 7088fc666c9a312df304246fb9933175bbdc7014bb2aed18081e318e1ad8a5e170391576550dfef771bbdb5eab4e7a84548d51f2ef0d82ce4f492b20b6eb68a1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f7ea2b26562c1ce00053808ff9530b37
SHA1 0a4895b115ce914c0f5732ac9c32f27cf3ee8d6c
SHA256 2833bb955f7a223092af7ba7a107e9e256023e65a57e2250b2f23f2885853012
SHA512 039f944ee4c3f95ca9ebf0090e9e3020d42d4d271c811e3e5c6d18be74e5a9e7ae2670ee71c3d6bcecf894c7e27251057d6b93046fad5b535dceae91438a8388

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

MD5 0ff547c2876fd5b37ae6bf4ef2b04997
SHA1 865ebf51923981a3619ecd4c341537a077208bd0
SHA256 084e0406a86f3a586b9ba7d9d2a16e505aa1fdcd355a2abaff370cd624b044ca
SHA512 95fdc8e22bf1885628fd99a49955ab768bc6369ff33f6a6e2bdd6fb1b75677d5fad6383cd8fb7aac0cf986b7080a80988d227191b18e27b82c9630cf724c4265

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt~RFe591999.TMP

MD5 006a32fcaf662c1762a8717fe1490c5f
SHA1 a86f76d4f15f0eb115f828d95218fc2ce1e95030
SHA256 7d14615c24e0c7fa927f9b3949e63c1c2eab25aa5b79dd45b1741825227019d2
SHA512 675f72ebc0916bb4507e9d57a02797b06f6a52c0947c004cf3bc629cb844b4eaaf6d6335bdb67f9f2a92bdf0eb8b2bf59dc566f9a1cf2ecdc7b5b70d18c83ebe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d7e8ba76ce9f89020577cc8fdc1403a1
SHA1 c36ff8c69dd92d3e5b4066b0567529262bb3ece6
SHA256 0671f3608fc7b1cf7bee1ca83866101b51501b47ef0f534ba83d324ebfd99fda
SHA512 e5f609fcb4bb634c6611ab536b13759c8e2ecd93d8e417c244ce1e24980fdd224f14d395e87f9ae2c27cd6075045a9264228bae4c5d2058b5b81d3924ca14940

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 5a497f011d1f3d1af2a398e4e8076601
SHA1 78925a47b3108b3a54f64f857d7113cc0723b8dc
SHA256 7bd356efc1f4f595b4ec9cf63b17e0cfeaec37060b0edfcabe8f4f45fdfcea3a
SHA512 0ae499c430ccdea1a84ca0d9928c08cad165dd1c09b1e5629e2d1fcd950c2e60645f9e3310395a6753104c64fffecb18ad08d6a847eb23b6ee7ffe2fb1cf181a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000078

MD5 3ae8bba7279972ba539bdb75e6ced7f5
SHA1 8c704696343c8ad13358e108ab8b2d0f9021fec2
SHA256 de760e6ff6b3aa8af41c5938a5f2bb565b6fc0c0fb3097f03689fe2d588c52f8
SHA512 3ca2300a11d965e92bba8dc96ae1b00eca150c530cbfeb9732b8329da47e2f469110306777ed661195ff456855f79e2c4209ccef4a562a71750eb903d0a42c24

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 71cf019cbfd2f567fee6e2ed99fa06a8
SHA1 c00339082909204ff70c7cbaa969dad0413068e4
SHA256 a1d222447b09be7647821a20f12f4509464a07891e0846de0da7b0a4b89cf5e9
SHA512 66482b6ed647265cb884e486fc7a2337326cc4353f0f0fc51ca2d3430cfd05691c2d067d6570a50ee5dffa04079611555cea3c32453571206898becbfb39fb60

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 1d0f949c35940e5d9e28433794929344
SHA1 218803af5f5e6872ef74a47df4e6d86a2339a561
SHA256 97a2094900de22ddf998a8e1f3162157ed1b29418d9798eaef38635c44466e5f
SHA512 52c9d4717d9a258fe5b2846c1bd3e686887d77ba5020d4c6945cbd6914ead16596c71286d132390ca5a604cdcedf032dadaba7c35cae55f2b7d10295af70ff0f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\50daab99-e2ab-4ffa-9e79-f6f328810dab\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 ce0b55234bb672757570dfed2eb04715
SHA1 c201d6697d0641fdce792b2aada9a7d6a3cf1bd4
SHA256 27d548063c8e88977c74077fd1dc48e7f519457c1784d8d0879ecdf2a9f66f26
SHA512 10daeaa9f1bd1bd721c151a013fe51be35bddf3bb776997335dacaf328e7f7498c695b3419319401a9668066fad5ceb172f5ccaeecdd238496c3abc4f3536ba5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 d6912c65cc5fdbac155ddc4d2d2ca088
SHA1 8e69beabfcd33863d00220be43ff374a21a2b1c0
SHA256 436ef1cee91ab4f62118fd35faa0047b87496adbb6cdabf6251e0ef4be4ed0e5
SHA512 71cad448a5547afc0c35a2fc88541e13bf8d00541c334e96d28dfa4f4fb6ba6908409149fa1b4e87a58e59fd7e4b9334f7868d4529b674becf910e1de5019983

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 91a4332ce94fea2432358eec70d58e0c
SHA1 f213c626c9b3793cd203475181ccf6b4b5c8136f
SHA256 3ef0f2662d3fb3ecea9f8f45c115ccd656db17787e08903aa3e4020e6b5c1555
SHA512 65ebc9f833e6aadfd9660d1bf5ff6c7c200b1d2000d442d9e7b34abcc65de9667875b5500df107a4ba13e0b9e5eb4c8d087542f292d9d552c10a2d39447be399

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 28cec37e559023018b782af001487224
SHA1 db8dcc5f5551ea621d0607ffd751ea6ceec19f6e
SHA256 2a2e5f6c9d7f8570b6f79390bc000d4755689a21f8cd86b2f46d366205e54792
SHA512 1c10b7fe71d7f58e60984aa2535a9376d49fb777f95702ac7de0c83f2a1a833852820512e476c0c4468054660c1ecea3ff7328f183720543f7a919aa15d50416

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a0843a35f0e34ff4b5797488a45ce60a
SHA1 6e0b35d0f0f90d660a6bf3922c5a744b6e16e6fb
SHA256 8db07704e0b070f86ce135eecc273c5afb29c1952797dadb348710769ff4f993
SHA512 c06195504cd164d38fff8a0110689bd8f86e1333497356311124338c187c7dcd068547037061f5466abd15b862568f47d85303e50a0541f8fed71dc4c39d95cf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\968c27e7-97ed-4f02-9c4a-7c41433822b0\index-dir\the-real-index

MD5 15038ba39bdf25a4ac3f2c39f8224e44
SHA1 35970f297311e76e0affb5110b247b0cff0432c2
SHA256 6fba209e926042c5f768e10adceee1d839edb2f7f6fcde0be92f85d200eac7b9
SHA512 aeda8e960d300830ee38ae7235f4790881f5162be3d95e537d80b7d4fa473efa2a9f090d3d9a1fb196ade17765f104c0a6c76d5a93831af06cdaf7f3fc0d6ea2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\968c27e7-97ed-4f02-9c4a-7c41433822b0\index-dir\the-real-index~RFe596b24.TMP

MD5 872edbf3ab9cebac282b16273e50f4eb
SHA1 d9a29de429f36eac9d5be08a71a17887e13bf496
SHA256 fc1e890ca36edd882da13c662595df2d595a61cb30ae78980a4570cd15e58185
SHA512 49f352a4dc020ae1abdf728af1658326a82b47916c36f6ee01298a359cfb0ad5790e8dd62e3f3291bbc16c14ca936254368ca9d7e5be2f212068be65b9dbb6d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 0f72bbe50c60a564a364510288fb0bb1
SHA1 ff2b7f2a6c87da77e592fec2b816c2093243b2d1
SHA256 7cf00448455d17a9642de4b87507d215b363417b65b187d2607f11dcc5cbe019
SHA512 143dc0383cacd03fd88b523b9eca400973f9ade52297ea964da1766d1d2d9b64745957c8873584a6ffe446bc6f79c24ea7bd6b66fcba82d7b9864f83e5e1c583

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 4b2dbbc233cfa113d0b3c629f4427e03
SHA1 f94ac1c8c99379a2fd8be237babb609fac5c215d
SHA256 de6fd41d58a34e9d9ea66e67024ed5fcecaec3465c47fc58d9ecc4aa54d439f0
SHA512 8b5b41a44513325895a20cae8d227eaed19350d939b57f6df0cc2f5676e040b0f375ff87f85100b3f92e5182540f15e4cbdff3384def34c487f904cd256bc683

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 d56737097e41cd03f1179e729cd0a9a4
SHA1 9049d7819a2932ba8082c0fc9daf2c236b9c7dd7
SHA256 732a3d2ead733d61cb32c0404c03f9a7a6684943d1af751a97a2ebe388b69524
SHA512 2986004e68736e0d1b47aeea6fb158d53fc4f7574170dc6e5a7fae258a9b0bec5438f42c54094c0e035e324521ea2de9fbcb09133193e28e16537b55663ef51d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59acd0.TMP

MD5 8e1c516e1298582720990d90847e7d27
SHA1 a7082a4eec6a2b0b04fac34c56f9e64a511ef5b1
SHA256 2611cc5e058b6c14e54046ae54b336cc833aa530c89d33c1495d6e3495c137d3
SHA512 138b1a6152849f0476dc82d64c3a2debc6365515bedac1e78f537fd8c9c683bc1f71a0b2b7f2fadd5d7f4434fbb537358f112b06ae0516ab85b4c6016558d0cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 5fc0fd0c203a09cc89e4cc737e925b54
SHA1 bd3dcad42bf3ef80a9435283e8c649cac6fc8331
SHA256 3a5f745f316cbd98b2aee9933108de5e75c56ede2c425abc48d2dedccd82e78b
SHA512 bd69ec253e4caf37c4e55c6e4caf85680e8a7db9524919415626b7b754b25509f08d5972c34703fba7081a8172f28c636deba2c4e67dd317e8fbb0997257cb64

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\bb95a754-5ea4-4b60-a272-765d8fe6d08e\index-dir\the-real-index~RFe59bcbe.TMP

MD5 20115aab0b238e83bc8e9106aa169328
SHA1 98a41e48dee99d694b5208cbbb16c2e9d37a310b
SHA256 cab20f22a45d5040b76ba309495d608b5f8a977c767d922826458c9819d54604
SHA512 8455b50367f7ac7b3439398ff3b87b560f27084aa1f1edc198c00063cafba4f72d20028abfdfb88dd4178a61de320a62ba89e8ec6dc07f4ac54b3496d490b47c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\bb95a754-5ea4-4b60-a272-765d8fe6d08e\index-dir\the-real-index

MD5 aeedf52608dd58fdf5a6951b8b49c222
SHA1 7f455f7d20dc3d1434320da7534de0a6b7c199d9
SHA256 8b99cb29805bef281c3d85f9f8c7baa25f081e93a859a7a43a7e911b95bb6e5d
SHA512 8f06c9acb780cb0d4d53efc4704eb3a448fd9f422ce0258a3d7f64304b714723832a81a648e4848859e1ddf848a75795585e6c4a17270e0d7bd432bdd603ee46

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 af4ffb11a95face25c17d21a820d9555
SHA1 99e4d4fc614b8513196ff0e6451fb651f6d73539
SHA256 7ac725a26148fea874eab6b956cb14fad8b859d8c83c5b29776c8316ea29bb7d
SHA512 00a67b21594dd400db7b4283256f35c6d85b7ca3da41dcf27ea00d5bf5ebdc52e1ec0a1d5ba6c9d5cd7c0549acbaba244d16895513afe9e5680f3dc8e67a1ee1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f2390fac3897f873e3ac6acf133cb6cb
SHA1 1df08d947dbf259f3c05a7cca40d79710f94d8f2
SHA256 faf3f316aa4064d195b4c844d2c1ca5690e53bb8cb294858d728bb28df06d07e
SHA512 8498cac67d5ce15edd7a91f11876f2efc4f122f5d8dd6ff3dd9e07fa12bbd21f09a5ef89f605254851e6beae0a514826101cf4ab512d58535ce18f46f2bb28c7