Analysis Overview
SHA256
73e6ce2239f49301bd4735478f554c771cec1a50b0d9a38eeef1e4267c6661f5
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
RedLine payload
RedLine
ZGRat
Raccoon
Glupteba
Glupteba payload
Raccoon Stealer payload
SectopRAT
SmokeLoader
DcRat
SectopRAT payload
Detect ZGRat V1
Amadey
Downloads MZ/PE file
Modifies Windows Firewall
Stops running service(s)
Loads dropped DLL
Checks computer location settings
Windows security modification
Executes dropped EXE
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Detected potential entity reuse from brand paypal.
Drops file in Program Files directory
Launches sc.exe
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: MapViewOfSection
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-31 08:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-31 08:48
Reported
2023-10-31 08:50
Platform
win10v2004-20231020-en
Max time kernel
63s
Max time network
156s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\ADC.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\ADC.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\ADC.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\ADC.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\ADC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Raccoon
Raccoon Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YM2oR5.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3E34.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kos4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\766F.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-RSSGJ.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-RSSGJ.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-RSSGJ.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6EDC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6EDC.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\ADC.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lJ9BV75.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Jb1sw43.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\MC4EM73.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\450.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PZ9LP7KO.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\4161.exe'\"" | C:\Users\Admin\AppData\Local\Temp\4161.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uI6Xr36.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eL5ht39.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hU7rf3nl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xF5ge0HZ.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Xz9WA3su.exe | N/A |
Checks installed software on the system
Detected potential entity reuse from brand paypal.
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4448 set thread context of 264 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1QW33WP6.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2828 set thread context of 4324 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2br5565.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3780 set thread context of 3052 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4oL555fq.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 5380 set thread context of 6348 | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 7324 set thread context of 7548 | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\LAudioConverter\is-6FEA9.tmp | C:\Users\Admin\AppData\Local\Temp\is-RSSGJ.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-48TT3.tmp | C:\Users\Admin\AppData\Local\Temp\is-RSSGJ.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-N551K.tmp | C:\Users\Admin\AppData\Local\Temp\is-RSSGJ.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-R9QPO.tmp | C:\Users\Admin\AppData\Local\Temp\is-RSSGJ.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-KDA8F.tmp | C:\Users\Admin\AppData\Local\Temp\is-RSSGJ.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-RSSGJ.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-BCBNP.tmp | C:\Users\Admin\AppData\Local\Temp\is-RSSGJ.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-7DLSS.tmp | C:\Users\Admin\AppData\Local\Temp\is-RSSGJ.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\XML\Styles\is-OMBS8.tmp | C:\Users\Admin\AppData\Local\Temp\is-RSSGJ.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-L0STT.tmp | C:\Users\Admin\AppData\Local\Temp\is-RSSGJ.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-5P1AE.tmp | C:\Users\Admin\AppData\Local\Temp\is-RSSGJ.tmp\LzmwAqmV.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe | C:\Users\Admin\AppData\Local\Temp\is-RSSGJ.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-F9HLJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-RSSGJ.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-4K5PE.tmp | C:\Users\Admin\AppData\Local\Temp\is-RSSGJ.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-5KP0A.tmp | C:\Users\Admin\AppData\Local\Temp\is-RSSGJ.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\XML\Styles\is-UR726.tmp | C:\Users\Admin\AppData\Local\Temp\is-RSSGJ.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\XML\Styles\is-5BSQL.tmp | C:\Users\Admin\AppData\Local\Temp\is-RSSGJ.tmp\LzmwAqmV.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\LAudioConverter\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-RSSGJ.tmp\LzmwAqmV.tmp | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3pC66tW.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3pC66tW.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3pC66tW.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3pC66tW.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3pC66tW.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3pC66tW.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ADC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\kos4.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uI6Xr36.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uI6Xr36.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lJ9BV75.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lJ9BV75.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eL5ht39.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eL5ht39.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Jb1sw43.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Jb1sw43.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\MC4EM73.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\MC4EM73.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1QW33WP6.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1QW33WP6.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2br5565.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2br5565.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3pC66tW.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3pC66tW.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4324 -ip 4324
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4324 -s 540
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4oL555fq.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4oL555fq.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YM2oR5.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YM2oR5.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6ny1Fs9.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6ny1Fs9.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Wf4SU06.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Wf4SU06.exe
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C004.tmp\C005.tmp\C006.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Wf4SU06.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff905c446f8,0x7ff905c44708,0x7ff905c44718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff905c446f8,0x7ff905c44708,0x7ff905c44718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff905c446f8,0x7ff905c44708,0x7ff905c44718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff905c446f8,0x7ff905c44708,0x7ff905c44718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,10684127714397707658,4206376412088249924,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,10684127714397707658,4206376412088249924,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2944 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2892 /prefetch:2
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1560,7009669616027123296,5800065775878859772,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1552,7463795931563137476,10885002351267085768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4328 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff905c446f8,0x7ff905c44708,0x7ff905c44718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x40,0x170,0x7ff905c446f8,0x7ff905c44708,0x7ff905c44718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x160,0x170,0x7ff905c446f8,0x7ff905c44708,0x7ff905c44718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x170,0x174,0x178,0x14c,0x17c,0x7ff905c446f8,0x7ff905c44708,0x7ff905c44718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff905c446f8,0x7ff905c44708,0x7ff905c44718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff905c446f8,0x7ff905c44708,0x7ff905c44718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6176 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6176 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7688 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7660 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\450.exe
C:\Users\Admin\AppData\Local\Temp\450.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PZ9LP7KO.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PZ9LP7KO.exe
C:\Users\Admin\AppData\Local\Temp\5D8.exe
C:\Users\Admin\AppData\Local\Temp\5D8.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hU7rf3nl.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hU7rf3nl.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xF5ge0HZ.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\xF5ge0HZ.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Xz9WA3su.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Xz9WA3su.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1RT60qh4.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1RT60qh4.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\81B.bat" "
C:\Users\Admin\AppData\Local\Temp\9F1.exe
C:\Users\Admin\AppData\Local\Temp\9F1.exe
C:\Users\Admin\AppData\Local\Temp\ADC.exe
C:\Users\Admin\AppData\Local\Temp\ADC.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff905c446f8,0x7ff905c44708,0x7ff905c44718
C:\Users\Admin\AppData\Local\Temp\D2F.exe
C:\Users\Admin\AppData\Local\Temp\D2F.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ZH568kn.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2ZH568kn.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 6348 -ip 6348
C:\Users\Admin\AppData\Local\Temp\106C.exe
C:\Users\Admin\AppData\Local\Temp\106C.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6348 -s 540
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff905c446f8,0x7ff905c44708,0x7ff905c44718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff905c446f8,0x7ff905c44708,0x7ff905c44718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff905c446f8,0x7ff905c44708,0x7ff905c44718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff905c446f8,0x7ff905c44708,0x7ff905c44718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff905c446f8,0x7ff905c44708,0x7ff905c44718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff905c446f8,0x7ff905c44708,0x7ff905c44718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff905c446f8,0x7ff905c44708,0x7ff905c44718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8412 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8260 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7848 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8700 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9212 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9144 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9080 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9056 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8672 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8660 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8600 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=8264 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x31c 0x318
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2112,13761987240434612883,11378219204816424246,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7376 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\3E34.exe
C:\Users\Admin\AppData\Local\Temp\3E34.exe
C:\Users\Admin\AppData\Local\Temp\4161.exe
C:\Users\Admin\AppData\Local\Temp\4161.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\kos4.exe
"C:\Users\Admin\AppData\Local\Temp\kos4.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Users\Admin\AppData\Local\Temp\is-RSSGJ.tmp\LzmwAqmV.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RSSGJ.tmp\LzmwAqmV.tmp" /SL5="$50290,2998240,68096,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Users\Admin\AppData\Local\Temp\66DC.exe
C:\Users\Admin\AppData\Local\Temp\66DC.exe
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\6EDC.exe
C:\Users\Admin\AppData\Local\Temp\6EDC.exe
C:\Users\Admin\AppData\Local\Temp\766F.exe
C:\Users\Admin\AppData\Local\Temp\766F.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 8100 -ip 8100
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /F /TN "LAC1031-1"
C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe
"C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe" -i
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 8100 -s 784
C:\Users\Admin\AppData\Local\Temp\796D.exe
C:\Users\Admin\AppData\Local\Temp\796D.exe
C:\Users\Admin\AppData\Local\Temp\7CE9.exe
C:\Users\Admin\AppData\Local\Temp\7CE9.exe
C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe
"C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe" -s
C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ea7c8244c8" /P "Admin:N"&&CACLS "..\ea7c8244c8" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cacls.exe
CACLS "Utsysc.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "Utsysc.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ea7c8244c8" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ea7c8244c8" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3172 -ip 3172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 576
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff905c446f8,0x7ff905c44708,0x7ff905c44718
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,12212592193297517110,17354907169522182213,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,12212592193297517110,17354907169522182213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2648 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,12212592193297517110,17354907169522182213,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2596 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12212592193297517110,17354907169522182213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12212592193297517110,17354907169522182213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\tar.exe
tar.exe -cf "C:\Users\Admin\AppData\Local\Temp\350690463354_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12212592193297517110,17354907169522182213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12212592193297517110,17354907169522182213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12212592193297517110,17354907169522182213,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12212592193297517110,17354907169522182213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,12212592193297517110,17354907169522182213,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,12212592193297517110,17354907169522182213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3768 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,12212592193297517110,17354907169522182213,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3768 /prefetch:8
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
C:\Users\Admin\AppData\Roaming\btswhat
C:\Users\Admin\AppData\Roaming\btswhat
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| RU | 193.233.255.73:80 | 193.233.255.73 | tcp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.255.233.193.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 157.240.201.35:443 | www.facebook.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | store.steampowered.com | udp |
| NL | 104.85.0.101:443 | store.steampowered.com | tcp |
| US | 8.8.8.8:53 | 35.201.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 104.244.42.65:443 | twitter.com | tcp |
| US | 8.8.8.8:53 | api.twitter.com | udp |
| US | 8.8.8.8:53 | abs.twimg.com | udp |
| US | 8.8.8.8:53 | pbs.twimg.com | udp |
| US | 104.244.42.130:443 | api.twitter.com | tcp |
| NL | 199.232.148.159:443 | pbs.twimg.com | tcp |
| US | 8.8.8.8:53 | t.co | udp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 8.8.8.8:53 | video.twimg.com | udp |
| US | 8.8.8.8:53 | 101.0.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.ads-twitter.com | udp |
| US | 8.8.8.8:53 | 65.42.244.104.in-addr.arpa | udp |
| US | 104.244.42.69:443 | t.co | tcp |
| NL | 199.232.148.157:443 | static.ads-twitter.com | tcp |
| US | 68.232.34.217:443 | video.twimg.com | tcp |
| US | 8.8.8.8:53 | analytics.twitter.com | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| US | 104.244.42.131:443 | analytics.twitter.com | tcp |
| JP | 23.207.106.113:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | www.epicgames.com | udp |
| US | 34.206.130.105:443 | www.epicgames.com | tcp |
| US | 8.8.8.8:53 | www.paypal.com | udp |
| US | 151.101.1.21:443 | www.paypal.com | tcp |
| US | 8.8.8.8:53 | 159.148.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.21.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.148.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.34.232.68.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.106.207.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.130.206.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 92.47.239.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store.akamai.steamstatic.com | udp |
| NL | 23.72.252.176:443 | store.akamai.steamstatic.com | tcp |
| NL | 23.72.252.176:443 | store.akamai.steamstatic.com | tcp |
| NL | 23.72.252.176:443 | store.akamai.steamstatic.com | tcp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| NL | 88.221.25.153:80 | apps.identrust.com | tcp |
| NL | 142.250.179.214:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | tracking.epicgames.com | udp |
| US | 54.166.243.177:443 | tracking.epicgames.com | tcp |
| US | 8.8.8.8:53 | static-assets-prod.unrealengine.com | udp |
| US | 18.239.36.103:443 | static-assets-prod.unrealengine.com | tcp |
| US | 18.239.36.103:443 | static-assets-prod.unrealengine.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | community.akamai.steamstatic.com | udp |
| NL | 23.72.252.169:443 | community.akamai.steamstatic.com | tcp |
| NL | 23.72.252.169:443 | community.akamai.steamstatic.com | tcp |
| NL | 23.72.252.169:443 | community.akamai.steamstatic.com | tcp |
| US | 8.8.8.8:53 | 153.25.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.36.239.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.243.166.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.paypalobjects.com | udp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 8.8.8.8:53 | 169.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| IE | 163.70.151.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| IE | 163.70.151.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| NL | 23.72.252.169:443 | community.akamai.steamstatic.com | tcp |
| NL | 23.72.252.169:443 | community.akamai.steamstatic.com | tcp |
| NL | 23.72.252.169:443 | community.akamai.steamstatic.com | tcp |
| NL | 23.72.252.176:443 | store.akamai.steamstatic.com | tcp |
| NL | 23.72.252.176:443 | store.akamai.steamstatic.com | tcp |
| NL | 23.72.252.176:443 | store.akamai.steamstatic.com | tcp |
| US | 8.8.8.8:53 | c.paypal.com | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 192.55.233.1:443 | tcp | |
| US | 8.8.8.8:53 | www.recaptcha.net | udp |
| NL | 172.217.168.227:443 | www.recaptcha.net | tcp |
| US | 192.55.233.1:443 | tcp | |
| NL | 172.217.168.227:443 | www.recaptcha.net | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login.steampowered.com | udp |
| JP | 23.207.106.113:443 | login.steampowered.com | tcp |
| US | 8.8.8.8:53 | t.paypal.com | udp |
| US | 8.8.8.8:53 | b.stats.paypal.com | udp |
| US | 151.101.1.35:443 | t.paypal.com | tcp |
| US | 64.4.245.84:443 | b.stats.paypal.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.245.4.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.1.101.151.in-addr.arpa | udp |
| FI | 77.91.68.249:80 | 77.91.68.249 | tcp |
| RU | 193.233.255.73:80 | 193.233.255.73 | tcp |
| US | 8.8.8.8:53 | 249.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| NL | 194.169.175.118:80 | 194.169.175.118 | tcp |
| FI | 77.91.124.86:19084 | tcp | |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 118.175.169.194.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| NL | 142.250.179.214:443 | i.ytimg.com | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| NL | 142.251.39.98:443 | googleads.g.doubleclick.net | tcp |
| NL | 142.251.39.98:443 | googleads.g.doubleclick.net | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | 71.124.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yt3.ggpht.com | udp |
| NL | 142.251.36.1:443 | yt3.ggpht.com | tcp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| NL | 142.251.36.1:443 | yt3.ggpht.com | udp |
| US | 8.8.8.8:53 | stim.graspalace.com | udp |
| US | 188.114.97.0:80 | stim.graspalace.com | tcp |
| NL | 104.85.0.101:443 | store.steampowered.com | tcp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | static.doubleclick.net | udp |
| NL | 172.217.168.202:443 | jnn-pa.googleapis.com | tcp |
| NL | 142.251.36.6:443 | static.doubleclick.net | tcp |
| US | 8.8.8.8:53 | 213.28.22.171.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.168.217.172.in-addr.arpa | udp |
| NL | 172.217.168.202:443 | jnn-pa.googleapis.com | udp |
| US | 149.40.62.171:15666 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| IT | 185.196.9.171:80 | 185.196.9.171 | tcp |
| US | 104.237.62.212:443 | tcp | |
| BG | 171.22.28.213:80 | tcp | |
| US | 8.8.8.8:53 | youtube.com | udp |
| US | 8.8.8.8:53 | 212.62.237.104.in-addr.arpa | udp |
| NL | 216.58.214.14:443 | youtube.com | tcp |
| FI | 77.91.124.1:80 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 194.49.94.11:80 | 194.49.94.11 | tcp |
| US | 8.8.8.8:53 | 11.94.49.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 185.196.8.176:80 | 185.196.8.176 | tcp |
| US | 185.196.8.176:80 | 185.196.8.176 | tcp |
| US | 8.8.8.8:53 | 176.8.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dub.stats.paypal.com | udp |
| US | 64.4.245.84:443 | dub.stats.paypal.com | tcp |
| US | 8.8.8.8:53 | api.steampowered.com | udp |
| JP | 23.207.106.113:443 | api.steampowered.com | tcp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 172.75.67.172.in-addr.arpa | udp |
| US | 185.196.8.176:80 | 185.196.8.176 | tcp |
| BG | 171.22.28.239:42359 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| US | 95.214.26.28:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 28.26.214.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | a03e7b14-05c5-4f4d-8d6f-6aa4d0134270.uuid.statsexplorer.org | udp |
| JP | 23.207.106.113:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| FI | 77.91.124.71:4341 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uI6Xr36.exe
| MD5 | 879f360368f64e4bb4554d3a164bda79 |
| SHA1 | adf9f67e7c2e89824bd390516919fd40a28a410e |
| SHA256 | d783327ccb944dbd271506cf78445681406afb0fe3e176338e7a51167ea27841 |
| SHA512 | cce119cac7d909d324bef394385649645dc23c2682aeaa10921ad4503e80ae5abb151b74b0a10d9f332eabfb860547f95e8be621f9d8c7e98f7f5ddacb918abc |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\uI6Xr36.exe
| MD5 | 879f360368f64e4bb4554d3a164bda79 |
| SHA1 | adf9f67e7c2e89824bd390516919fd40a28a410e |
| SHA256 | d783327ccb944dbd271506cf78445681406afb0fe3e176338e7a51167ea27841 |
| SHA512 | cce119cac7d909d324bef394385649645dc23c2682aeaa10921ad4503e80ae5abb151b74b0a10d9f332eabfb860547f95e8be621f9d8c7e98f7f5ddacb918abc |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lJ9BV75.exe
| MD5 | 33cbefc2f89f458e060cb64a9af2c58c |
| SHA1 | c59f79ba43c6c0fbf13fb791f3b4e775ddc0bc67 |
| SHA256 | 769e628143cda64b67da86e9f344210888e9e60c5cd3382d53943aa2282b7444 |
| SHA512 | a699d0bcc3654f3cba7dccc2cb720463d19eea1c7a02e2c8e0b1cc4343688c6d57d210bd36c91f2192034ab33f8c8b1e84b9eee436520f22196f769409b9670c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\lJ9BV75.exe
| MD5 | 33cbefc2f89f458e060cb64a9af2c58c |
| SHA1 | c59f79ba43c6c0fbf13fb791f3b4e775ddc0bc67 |
| SHA256 | 769e628143cda64b67da86e9f344210888e9e60c5cd3382d53943aa2282b7444 |
| SHA512 | a699d0bcc3654f3cba7dccc2cb720463d19eea1c7a02e2c8e0b1cc4343688c6d57d210bd36c91f2192034ab33f8c8b1e84b9eee436520f22196f769409b9670c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eL5ht39.exe
| MD5 | 9d2ec36e62802a791a26a78c29740d06 |
| SHA1 | 28ab0458bbd8307cf31943f6f5be0720f1b9187f |
| SHA256 | c790b8786a592e51549b2373826fffb7c484d0add3ddb7e68143eece9bbeed6e |
| SHA512 | d7ae0f931cf8946f6bf8465885b5f8907aabbc9151dfd547b4fa002d16bc9528d6ac6de2361dae625d7e08f8755acdae2092cf3144aaeb2f4a831137291e439a |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eL5ht39.exe
| MD5 | 9d2ec36e62802a791a26a78c29740d06 |
| SHA1 | 28ab0458bbd8307cf31943f6f5be0720f1b9187f |
| SHA256 | c790b8786a592e51549b2373826fffb7c484d0add3ddb7e68143eece9bbeed6e |
| SHA512 | d7ae0f931cf8946f6bf8465885b5f8907aabbc9151dfd547b4fa002d16bc9528d6ac6de2361dae625d7e08f8755acdae2092cf3144aaeb2f4a831137291e439a |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Jb1sw43.exe
| MD5 | e4577f1c459188baacf3ca355e88fc3b |
| SHA1 | ad6f5c0b9166eae97d6d071586849f1ba1567e35 |
| SHA256 | 40b986d8a9c5e1c3bacafe86f068bb6cd45bff7a96f2ad7cf52007478849496e |
| SHA512 | fc5f9f8c2f347c38d3477378900263ae8d3228bcf6b88076e7153312c73589fd18745fab6d9739a3fe0f59d7859afa68f1b5d14fff16adc0f7c92b223c3d45b4 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Jb1sw43.exe
| MD5 | e4577f1c459188baacf3ca355e88fc3b |
| SHA1 | ad6f5c0b9166eae97d6d071586849f1ba1567e35 |
| SHA256 | 40b986d8a9c5e1c3bacafe86f068bb6cd45bff7a96f2ad7cf52007478849496e |
| SHA512 | fc5f9f8c2f347c38d3477378900263ae8d3228bcf6b88076e7153312c73589fd18745fab6d9739a3fe0f59d7859afa68f1b5d14fff16adc0f7c92b223c3d45b4 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\MC4EM73.exe
| MD5 | 6f327d6604ff45c9ef7bd84ae4608e99 |
| SHA1 | d20dc5c09b394bbdc33479e71491d1c5efe66640 |
| SHA256 | dd9a34d8d742f9de3fabfd09381806922c7775f4da8daf713ba47aec3b496177 |
| SHA512 | 21ec7b1c6edb9e02bf386dbfc242480de55eb1f1a80534738df6af74111a79f226ec87265302cbdc23042f7832e0c2fd8d59911f4dcfe58ed07a5ff23ca1d9a1 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\MC4EM73.exe
| MD5 | 6f327d6604ff45c9ef7bd84ae4608e99 |
| SHA1 | d20dc5c09b394bbdc33479e71491d1c5efe66640 |
| SHA256 | dd9a34d8d742f9de3fabfd09381806922c7775f4da8daf713ba47aec3b496177 |
| SHA512 | 21ec7b1c6edb9e02bf386dbfc242480de55eb1f1a80534738df6af74111a79f226ec87265302cbdc23042f7832e0c2fd8d59911f4dcfe58ed07a5ff23ca1d9a1 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1QW33WP6.exe
| MD5 | f5d102485115d8726abf2bde38b4d483 |
| SHA1 | 66ad11efc957f5e1c66f833beb8c663532560679 |
| SHA256 | 75e2ab963c87f03c4f08e68231ccd3a2084c87633482ee0d1b118d2b5e5d4589 |
| SHA512 | cc4bc9e4b1f5b88fc36fb76273a4d5b9f1e06c86f6a8f57f14eaf08b4e7be20a99cf5d360e8bb34e2b759b5132ce31590f73556920dc847253ba3bf8bfc2f533 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1QW33WP6.exe
| MD5 | f5d102485115d8726abf2bde38b4d483 |
| SHA1 | 66ad11efc957f5e1c66f833beb8c663532560679 |
| SHA256 | 75e2ab963c87f03c4f08e68231ccd3a2084c87633482ee0d1b118d2b5e5d4589 |
| SHA512 | cc4bc9e4b1f5b88fc36fb76273a4d5b9f1e06c86f6a8f57f14eaf08b4e7be20a99cf5d360e8bb34e2b759b5132ce31590f73556920dc847253ba3bf8bfc2f533 |
memory/264-42-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2br5565.exe
| MD5 | 5d8c814cd8d34f969582fc1800c34c0f |
| SHA1 | 7998215f9c1747f188715d6ceede608e65d2dad2 |
| SHA256 | 984a3f281c2e5b19b4f408b4bf3b20ae51506ccd32e8c47190b8296db209ac93 |
| SHA512 | 3968801c482d7a02e3b1cbbd5913dbb502e3b42fd1c3aa3c94d47ab57aad07036f07187e749633f36599fc3c93f01371414a952421a8a26857dafe77e7e4a1d1 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2br5565.exe
| MD5 | 5d8c814cd8d34f969582fc1800c34c0f |
| SHA1 | 7998215f9c1747f188715d6ceede608e65d2dad2 |
| SHA256 | 984a3f281c2e5b19b4f408b4bf3b20ae51506ccd32e8c47190b8296db209ac93 |
| SHA512 | 3968801c482d7a02e3b1cbbd5913dbb502e3b42fd1c3aa3c94d47ab57aad07036f07187e749633f36599fc3c93f01371414a952421a8a26857dafe77e7e4a1d1 |
memory/264-46-0x0000000074070000-0x0000000074820000-memory.dmp
memory/4324-47-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4324-48-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4324-49-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4324-51-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3pC66tW.exe
| MD5 | 66aee8ea5cefe25342b9f54aa345dd94 |
| SHA1 | 615465ef5f0f6fc55c1172295b50d6963880636b |
| SHA256 | 71993a447bce737e56053fae30b5abc16715794b065609fb52f82e086f39c708 |
| SHA512 | ba41968c6967223107fe6b1d42b03c1d88f27be68793ac5211ac5fb3815f1ad229aa322d35576f889e324793d401bcdaff221399e5a86a454020724999c58976 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3pC66tW.exe
| MD5 | 66aee8ea5cefe25342b9f54aa345dd94 |
| SHA1 | 615465ef5f0f6fc55c1172295b50d6963880636b |
| SHA256 | 71993a447bce737e56053fae30b5abc16715794b065609fb52f82e086f39c708 |
| SHA512 | ba41968c6967223107fe6b1d42b03c1d88f27be68793ac5211ac5fb3815f1ad229aa322d35576f889e324793d401bcdaff221399e5a86a454020724999c58976 |
memory/3348-54-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3244-56-0x00000000010C0000-0x00000000010D6000-memory.dmp
memory/3348-58-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4oL555fq.exe
| MD5 | 596d0897c9cc7e845657c71eb9272cf0 |
| SHA1 | 4b1a4b2764ab91c189af3d2f0089092d44df7cde |
| SHA256 | fe69138d1cad833c2db6de75f515925e4e679631d7b6240f3bb9558b982c5dd6 |
| SHA512 | 9d6905677cc1de62c4c608005f8b488f995a2f8854db046dc680baf0a3badf974d109e7cedffce12bc26fa68fba5c5cb68dd02c7d3b63e544eea9b9dd612cb18 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4oL555fq.exe
| MD5 | 596d0897c9cc7e845657c71eb9272cf0 |
| SHA1 | 4b1a4b2764ab91c189af3d2f0089092d44df7cde |
| SHA256 | fe69138d1cad833c2db6de75f515925e4e679631d7b6240f3bb9558b982c5dd6 |
| SHA512 | 9d6905677cc1de62c4c608005f8b488f995a2f8854db046dc680baf0a3badf974d109e7cedffce12bc26fa68fba5c5cb68dd02c7d3b63e544eea9b9dd612cb18 |
memory/3052-63-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YM2oR5.exe
| MD5 | 9877e9bc4df37528337980dd64403d01 |
| SHA1 | 6cc0cdea3654b581393716da97dc8ddb7470cb28 |
| SHA256 | 3f3053b16308aa7e4e4ec4bde8b4fb43ba3325aa284ddcef5a65f37176883574 |
| SHA512 | 7898d06b6c569f148fe0616d00edc1308f9ec416bd2bf37cf9979f198be1abcd0b36985f22739c96ee3a33c04f9f8286dcc7d20b3035e72398fed59b23af25a3 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5YM2oR5.exe
| MD5 | 9877e9bc4df37528337980dd64403d01 |
| SHA1 | 6cc0cdea3654b581393716da97dc8ddb7470cb28 |
| SHA256 | 3f3053b16308aa7e4e4ec4bde8b4fb43ba3325aa284ddcef5a65f37176883574 |
| SHA512 | 7898d06b6c569f148fe0616d00edc1308f9ec416bd2bf37cf9979f198be1abcd0b36985f22739c96ee3a33c04f9f8286dcc7d20b3035e72398fed59b23af25a3 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 9877e9bc4df37528337980dd64403d01 |
| SHA1 | 6cc0cdea3654b581393716da97dc8ddb7470cb28 |
| SHA256 | 3f3053b16308aa7e4e4ec4bde8b4fb43ba3325aa284ddcef5a65f37176883574 |
| SHA512 | 7898d06b6c569f148fe0616d00edc1308f9ec416bd2bf37cf9979f198be1abcd0b36985f22739c96ee3a33c04f9f8286dcc7d20b3035e72398fed59b23af25a3 |
memory/3052-69-0x0000000074070000-0x0000000074820000-memory.dmp
memory/3052-70-0x0000000007B00000-0x00000000080A4000-memory.dmp
memory/3052-71-0x00000000075F0000-0x0000000007682000-memory.dmp
memory/3052-73-0x00000000075E0000-0x00000000075F0000-memory.dmp
memory/3052-77-0x00000000077C0000-0x00000000077CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 9877e9bc4df37528337980dd64403d01 |
| SHA1 | 6cc0cdea3654b581393716da97dc8ddb7470cb28 |
| SHA256 | 3f3053b16308aa7e4e4ec4bde8b4fb43ba3325aa284ddcef5a65f37176883574 |
| SHA512 | 7898d06b6c569f148fe0616d00edc1308f9ec416bd2bf37cf9979f198be1abcd0b36985f22739c96ee3a33c04f9f8286dcc7d20b3035e72398fed59b23af25a3 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 9877e9bc4df37528337980dd64403d01 |
| SHA1 | 6cc0cdea3654b581393716da97dc8ddb7470cb28 |
| SHA256 | 3f3053b16308aa7e4e4ec4bde8b4fb43ba3325aa284ddcef5a65f37176883574 |
| SHA512 | 7898d06b6c569f148fe0616d00edc1308f9ec416bd2bf37cf9979f198be1abcd0b36985f22739c96ee3a33c04f9f8286dcc7d20b3035e72398fed59b23af25a3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6ny1Fs9.exe
| MD5 | b0ed2cd363b5152c63c745f66cc74bc0 |
| SHA1 | 3394eef50cb83b54e3aa7b4d575cc871c171eb1a |
| SHA256 | 8881e0de723415b297a1a7d959a2b2309d46db44ac2f54c22612ed9df89a686f |
| SHA512 | 750719f533c3d3f0b44dcabc4683fe40d865f85a8c1d3141bed492f7921f0bc788df44cdb8a5534005d6c1565cd211b4ded6b1123bda2b279179a9ca7ff3ac47 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6ny1Fs9.exe
| MD5 | b0ed2cd363b5152c63c745f66cc74bc0 |
| SHA1 | 3394eef50cb83b54e3aa7b4d575cc871c171eb1a |
| SHA256 | 8881e0de723415b297a1a7d959a2b2309d46db44ac2f54c22612ed9df89a686f |
| SHA512 | 750719f533c3d3f0b44dcabc4683fe40d865f85a8c1d3141bed492f7921f0bc788df44cdb8a5534005d6c1565cd211b4ded6b1123bda2b279179a9ca7ff3ac47 |
memory/3052-84-0x00000000086D0000-0x0000000008CE8000-memory.dmp
memory/3052-85-0x0000000007960000-0x0000000007A6A000-memory.dmp
memory/3052-86-0x0000000007890000-0x00000000078A2000-memory.dmp
memory/3052-87-0x00000000078F0000-0x000000000792C000-memory.dmp
memory/264-88-0x0000000074070000-0x0000000074820000-memory.dmp
memory/3052-89-0x0000000007A70000-0x0000000007ABC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Wf4SU06.exe
| MD5 | ef448a0aef6a7364120365b891911bd9 |
| SHA1 | 1b588451d434e13e7309ea5aba3fa18db068c0f4 |
| SHA256 | 54f45cc37b6c70ac852379af7aef0f8077f85934dfaadd426bdffaf049683068 |
| SHA512 | 5cee495c91fab4e0c92cc48ee8e073831518f5125109f78c1c3a7bb18a0cdd50d69ad7e8b69e8bac52f07c3b464007bcf63d586545a0bfdc094644bcced53b66 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Wf4SU06.exe
| MD5 | ef448a0aef6a7364120365b891911bd9 |
| SHA1 | 1b588451d434e13e7309ea5aba3fa18db068c0f4 |
| SHA256 | 54f45cc37b6c70ac852379af7aef0f8077f85934dfaadd426bdffaf049683068 |
| SHA512 | 5cee495c91fab4e0c92cc48ee8e073831518f5125109f78c1c3a7bb18a0cdd50d69ad7e8b69e8bac52f07c3b464007bcf63d586545a0bfdc094644bcced53b66 |
C:\Users\Admin\AppData\Local\Temp\C004.tmp\C005.tmp\C006.bat
| MD5 | 0769624c4307afb42ff4d8602d7815ec |
| SHA1 | 786853c829f4967a61858c2cdf4891b669ac4df9 |
| SHA256 | 7da27df04c56cf1aa11d427d9a3dff48b0d0df8c11f7090eb849abee6bfe421f |
| SHA512 | df8e4c6e50c74f5daf89b3585a98980ac1dbacf4cce641571f8999e4263078e5d14863dae9cf64be4c987671a21ebdce3bf8e210715f68c5e383cc4d55f53106 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 777424efaa0b7dc4020fed63a05319cf |
| SHA1 | f4ff37d51b7dd7a46606762c1531644b8fbc99c7 |
| SHA256 | 30d13502553b37ca0221b08f834e49be44ba9b9c2bbb032dded6e3ab3f0480d5 |
| SHA512 | 7e61eab7b512ac99d2c5a5c4140bf0e27e638eb02235cd32364f0d43ee0784e2d8ac212d06a082c1dce9f61c63b507cb8feb17efffbd1954b617208740f72ad9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
memory/264-110-0x0000000074070000-0x0000000074820000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
\??\pipe\LOCAL\crashpad_4432_ABMKHNDJDKUXHFNB
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\??\pipe\LOCAL\crashpad_3884_PTKOSCIMKTTFPDUF
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2e3880772a978e9d6924530b064f84a9 |
| SHA1 | 0949bc0851fa2660b6d61e7aba770605ede4a1da |
| SHA256 | bd521490ed59230324849bab28a7179f679575380b38b5b9eaa0c9b6e1d94c3e |
| SHA512 | a3d9d242a9b14ab0aae6097eec301d039cfbf27e1806efb1abcb21aaadb6dd193546ddebca6462a7bd87570b5dd9eb12ee7dff6b03cb262bbf0bc052ef18e607 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3d25e3e9d37690122b5157859f110630 |
| SHA1 | 08eee9076d5c3b4426c02fb55e665165b163eec4 |
| SHA256 | e71afebb3ceda395d7f0f0ebb9cc57ef8977c73b9f8c7bc13c7a93f67b672c6f |
| SHA512 | 20acf8844282d153d303472cf020fc5c4bfb670d0e7fc0bfdc278c1c0c785b215b42ed3585a452210b74ecf88323d938cf862f0d8a7dc964e49bc108b55b1f54 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8b04592f288d7ffcf7b21114c978fbce |
| SHA1 | a7337a561c15eaa873076f8f9c371d9842181d86 |
| SHA256 | e2c07b3d6ecdbd7ed084fd34b849cac0dcecbde9caa8a4783fabc1e0a85b1907 |
| SHA512 | d722c36cc231cab9dd10aa43a151c6e1c114b36bd150b3556ec3c4c7c60aec691148aeeae4198167cf957ce1946708af6d64b0738b0bd971c3394e978e8eed7f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8b04592f288d7ffcf7b21114c978fbce |
| SHA1 | a7337a561c15eaa873076f8f9c371d9842181d86 |
| SHA256 | e2c07b3d6ecdbd7ed084fd34b849cac0dcecbde9caa8a4783fabc1e0a85b1907 |
| SHA512 | d722c36cc231cab9dd10aa43a151c6e1c114b36bd150b3556ec3c4c7c60aec691148aeeae4198167cf957ce1946708af6d64b0738b0bd971c3394e978e8eed7f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2e3880772a978e9d6924530b064f84a9 |
| SHA1 | 0949bc0851fa2660b6d61e7aba770605ede4a1da |
| SHA256 | bd521490ed59230324849bab28a7179f679575380b38b5b9eaa0c9b6e1d94c3e |
| SHA512 | a3d9d242a9b14ab0aae6097eec301d039cfbf27e1806efb1abcb21aaadb6dd193546ddebca6462a7bd87570b5dd9eb12ee7dff6b03cb262bbf0bc052ef18e607 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\eab96759-7d25-4ab1-a14d-64be59746ddb.tmp
| MD5 | 8dfaee233166213c70337e7ea22fa524 |
| SHA1 | 39654237de0021c935ab0b7c019a7453ecaaa74f |
| SHA256 | 78ea3282cad25ebeb18d3932d3c00619e788d9faea5e4d20c2f9c4c4d0236a19 |
| SHA512 | fe57b34d14b135f00283fdd179f7ccc786b41c48b97fec89d658a2047208d5a5e83cf2e1848b855130b3ca0e85d19c905d3473dc825dc65495faca74087362bf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8dfaee233166213c70337e7ea22fa524 |
| SHA1 | 39654237de0021c935ab0b7c019a7453ecaaa74f |
| SHA256 | 78ea3282cad25ebeb18d3932d3c00619e788d9faea5e4d20c2f9c4c4d0236a19 |
| SHA512 | fe57b34d14b135f00283fdd179f7ccc786b41c48b97fec89d658a2047208d5a5e83cf2e1848b855130b3ca0e85d19c905d3473dc825dc65495faca74087362bf |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2e3880772a978e9d6924530b064f84a9 |
| SHA1 | 0949bc0851fa2660b6d61e7aba770605ede4a1da |
| SHA256 | bd521490ed59230324849bab28a7179f679575380b38b5b9eaa0c9b6e1d94c3e |
| SHA512 | a3d9d242a9b14ab0aae6097eec301d039cfbf27e1806efb1abcb21aaadb6dd193546ddebca6462a7bd87570b5dd9eb12ee7dff6b03cb262bbf0bc052ef18e607 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8b04592f288d7ffcf7b21114c978fbce |
| SHA1 | a7337a561c15eaa873076f8f9c371d9842181d86 |
| SHA256 | e2c07b3d6ecdbd7ed084fd34b849cac0dcecbde9caa8a4783fabc1e0a85b1907 |
| SHA512 | d722c36cc231cab9dd10aa43a151c6e1c114b36bd150b3556ec3c4c7c60aec691148aeeae4198167cf957ce1946708af6d64b0738b0bd971c3394e978e8eed7f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
memory/3052-270-0x0000000074070000-0x0000000074820000-memory.dmp
memory/3052-286-0x00000000075E0000-0x00000000075F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028
| MD5 | a5c3c60ee66c5eee4d68fdcd1e70a0f8 |
| SHA1 | 679c2d0f388fcf61ecc2a0d735ef304b21e428d2 |
| SHA256 | a77e911505d857000f49f47d29f28399475324bbf89c5c77066e9f9aca4dd234 |
| SHA512 | 5a4f5a1e0de5e650ca4b56bfd8e6830b98272a74d75610ed6e2f828f47cdf8447fbc5d8404bcf706ca95e5833e7c255f251137855723b531d12cbc450062750a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 4d4bac5f7adf72ce902e5abb45add6d5 |
| SHA1 | e3eccb0702794540052e0c12809c812db548d910 |
| SHA256 | e0c49fd2c16ad4ea00aad375f0d5da99c06dca407e67b7b51e15a4293bf21e49 |
| SHA512 | 3bd15e84615ebd296d026332540287d43a34caf26e0e2e66e9d5ca93f4d870496c35fa1fdfad29387f913d6e9d3fb3d9c8eaa4464feb37f903d8f4ddc61c69af |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3e29f593ba4c2d4199f106965e3856c8 |
| SHA1 | 2bde0b83f6c907674dec5ebb4cd722473ec979bf |
| SHA256 | bf2eb99f5c44e3234379c1b9aa5eec0d2cb44f5c7e8e647f6b9efb72e8b55bbd |
| SHA512 | cf32eaa4e84058bdfa6d6dca43b2b2a92df8cd94cbfa255e1131d916d2399f74f3d85782d89183ee86580ed17648a5d44a327808a5adc41654c15d84df3da04c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
| MD5 | 923a543cc619ea568f91b723d9fb1ef0 |
| SHA1 | 6f4ade25559645c741d7327c6e16521e43d7e1f9 |
| SHA256 | bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd |
| SHA512 | a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 1c706d53e85fb5321a8396d197051531 |
| SHA1 | 0d92aa8524fb1d47e7ee5d614e58a398c06141a4 |
| SHA256 | 80c44553381f37e930f1c82a1dc2e77acd7b955ec0dc99d090d5bd6b32c3c932 |
| SHA512 | d43867392c553d4afffa45a1b87a74e819964011fb1226ee54e23a98fc63ca80e266730cec6796a2afa435b1ea28aed72c55eae1ae5d31ec778f53be3e2162fc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
| MD5 | 7d75a9eb3b38b5dd04b8a7ce4f1b87cc |
| SHA1 | 68f598c84936c9720c5ffd6685294f5c94000dff |
| SHA256 | 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7 |
| SHA512 | cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000031
| MD5 | a6056708f2b40fe06e76df601fdc666a |
| SHA1 | 542f2a7be8288e26f08f55216e0c32108486c04c |
| SHA256 | fe8009d99826585803f561c9d7b01c95ec4a666e92fedb2c1ca6fa0f50bb7152 |
| SHA512 | e83e64d00199a51c1f17faca3012f6f28ad54e5ac48acea6509cccdd61ddb08b03c3a895776944190a4e261393b90f9f516ad64b1b0e4cdd88a66f6f691331a4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032
| MD5 | b24045e033655badfcc5b3292df544fb |
| SHA1 | 7869c0742b4d5cd8f1341bb061ac6c8c8cf8544b |
| SHA256 | ce60e71ab0f5a6f0a61ee048ff379b355d72cd01fda773380b4b474b4273ec6c |
| SHA512 | 0496eab064778fe47802d7f79a536022de4a89d085457ad0d092597f93e19653f750b86f5649768e18f631505ff9792c421ba3a14b9d30522d731b5cd3d8206c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6WS26vF.exe
| MD5 | 8f2bf02119aac2481082f886d5ca007a |
| SHA1 | 1e5f46d7e86cb0b24b770b771afa234ff9e7355f |
| SHA256 | cf3d920dcfd83c88dc8c3248766bf200e9ed0175988e5230c81a32ac5f53c6b4 |
| SHA512 | c62208b45602e2b0e73f1568254d66e6bb495e0f5f9cc51dfdb6d129dddb4bda7b3263694963259dac7c63ddc9d981e4d59d6139c0c0c161005221881b7f5dc1 |
C:\Users\Admin\AppData\Local\Temp\5D8.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4cM373DS.exe
| MD5 | 596d0897c9cc7e845657c71eb9272cf0 |
| SHA1 | 4b1a4b2764ab91c189af3d2f0089092d44df7cde |
| SHA256 | fe69138d1cad833c2db6de75f515925e4e679631d7b6240f3bb9558b982c5dd6 |
| SHA512 | 9d6905677cc1de62c4c608005f8b488f995a2f8854db046dc680baf0a3badf974d109e7cedffce12bc26fa68fba5c5cb68dd02c7d3b63e544eea9b9dd612cb18 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1RT60qh4.exe
| MD5 | 5d8c814cd8d34f969582fc1800c34c0f |
| SHA1 | 7998215f9c1747f188715d6ceede608e65d2dad2 |
| SHA256 | 984a3f281c2e5b19b4f408b4bf3b20ae51506ccd32e8c47190b8296db209ac93 |
| SHA512 | 3968801c482d7a02e3b1cbbd5913dbb502e3b42fd1c3aa3c94d47ab57aad07036f07187e749633f36599fc3c93f01371414a952421a8a26857dafe77e7e4a1d1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004c
| MD5 | 990324ce59f0281c7b36fb9889e8887f |
| SHA1 | 35abc926cbea649385d104b1fd2963055454bf27 |
| SHA256 | 67bcedd3040fc55d968bbe21df05c02b731181541aff4ae72b9205300a4a3ecc |
| SHA512 | 31e83da1ac217d25be6e7f35a041881b926f731fff69db6f144e4fe99b696a31f9ab7766ca22cf5a482743c2a2d00a699ca2c2d67837a86c471a2dd3bed9ea1f |
memory/6952-637-0x0000000074070000-0x0000000074820000-memory.dmp
memory/6328-640-0x00000000006A0000-0x00000000006AA000-memory.dmp
memory/6328-641-0x0000000074070000-0x0000000074820000-memory.dmp
memory/6952-642-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/6348-649-0x0000000000400000-0x0000000000434000-memory.dmp
memory/6348-650-0x0000000000400000-0x0000000000434000-memory.dmp
memory/6348-652-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4932-656-0x0000000000920000-0x000000000095E000-memory.dmp
memory/4932-657-0x0000000074070000-0x0000000074820000-memory.dmp
memory/4932-658-0x00000000078A0000-0x00000000078B0000-memory.dmp
memory/6704-659-0x0000000000400000-0x0000000000480000-memory.dmp
memory/6704-660-0x0000000000550000-0x00000000005AA000-memory.dmp
memory/6704-665-0x0000000074070000-0x0000000074820000-memory.dmp
memory/6704-668-0x00000000075A0000-0x00000000075B0000-memory.dmp
memory/6704-696-0x0000000008110000-0x0000000008176000-memory.dmp
memory/6952-702-0x0000000074070000-0x0000000074820000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 11c94dc9d1239c37a60be5358e9d7b4b |
| SHA1 | f562e8b0d40425b1bd18e9a882bc68528f74a84a |
| SHA256 | e939af626c3e7fed5eeaf63b9604b26832c28ea9dd75b996c1029244c9ea14ff |
| SHA512 | d0faec48306d4ca32464735b7c8274640c9b30f2401ea5f296b3f3fcff94b56d490ba2391fd5499c6f00fdc22d95db6db6b92cac05f66c501b163d1990e998bf |
memory/6328-718-0x0000000074070000-0x0000000074820000-memory.dmp
memory/6952-738-0x0000000007A60000-0x0000000007A70000-memory.dmp
memory/6328-740-0x0000000074070000-0x0000000074820000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
memory/4932-753-0x0000000074070000-0x0000000074820000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | b0ee2290cd77b5f7a561dcb33862d593 |
| SHA1 | a53b1ad0411a9d3ee332f9e0f19d041953305b3d |
| SHA256 | d4d3e4ae8aa3a30f10ec4a872c08719f79505c04570343659fdff6dcb7a9a9c6 |
| SHA512 | 01924c27f7fb9cbc8f4551ad1c2c3e95ed7c1ffff9a7d2dc9654babac5e982555e60c12ec1ef00e19c96ffe94abc1927a5675d06edd9f8977052f9e7877f5732 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | ab3c9298f9c1ffa0ef430a5f87707cdb |
| SHA1 | 35d74c935c948aff12e84470da740aab202a1900 |
| SHA256 | 72dc8841bcfd461f52e8f0582f799c4eaed8ee19ce75fb218fd8581760b13419 |
| SHA512 | 8aec00537d61b97919137f1f845843c6ecdf73b203a925c68c54b448aec6a77543bbc157b6b678730f96a556d79af3fdc428ebf0b6668454a53ef42aec1e6c9f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 6e283265c896a80d3da5264675e8142d |
| SHA1 | 32d33c84d4d59340aba569b792c5bfbb6ad170ac |
| SHA256 | 47c211bc942695454526b53e0c4ce6ba58bc6a97ec4512a448040c8d6140cc68 |
| SHA512 | f22d5bce7eb230ab108a4b5ec149c7e7e7f516fbb0f3c7d40e73a3d43ee63a74a4b7116ac29203fe3511692914ef0be2869f61ea5bcc5cb8557820fcaa855967 |
memory/4932-791-0x00000000078A0000-0x00000000078B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 08e286d2d12ab53e7bd6b0198d2a83ef |
| SHA1 | 605a1ed86b46c248b1772f3984496946810df842 |
| SHA256 | d6aca066e268a078b051fbeba2fd4ae038cf4476d2d8c11ba2d1241ddd029807 |
| SHA512 | fb92b06c072fc0226c4c30bff875d962647e7df1a0815bc3b8557afc9cea13e3861066bae47849b3985f2a48534378653a34473743bad92222e3ce04a03b53ed |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5838de.TMP
| MD5 | ed7b460e7303af71e63b41b34807700e |
| SHA1 | 3ca641072167ca115704e46cc42e90bfcb75c64a |
| SHA256 | 5e92a58c9934336b59fe2eba9db26d8f1674ac4f95c73389987fed59a7b938a4 |
| SHA512 | fddeedf6b369ef00e4a9e8171577303318e68dfc31ca7b9d0b82ebd96548ce6206971d06c476457642e25a53be7cf09803adffe3a320aae0c4897b5915afe4a6 |
memory/6704-806-0x0000000000400000-0x0000000000480000-memory.dmp
memory/6704-813-0x0000000074070000-0x0000000074820000-memory.dmp
memory/7980-820-0x0000000000C00000-0x00000000015E4000-memory.dmp
memory/7980-821-0x0000000074070000-0x0000000074820000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 6f9469ccc7833a2ce02c82acca03410b |
| SHA1 | ae86bd68ee10f162538b856c6270c3255116dc0d |
| SHA256 | 4911e8bc14867ac4925d048aa5fa3c4df5499a8f8c4833776e6721f8e583dfcc |
| SHA512 | 45775d9fc6fdc2dfab63f3614bc15feecac8aeb432c52989bd9efd1b8798a2823f5eea988ecfdf3db1091150d89ee9e097fd35652d9444d9a87565b9788113b4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021
| MD5 | 9f1c899a371951195b4dedabf8fc4588 |
| SHA1 | 7abeeee04287a2633f5d2fa32d09c4c12e76051b |
| SHA256 | ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7 |
| SHA512 | 86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c
| MD5 | 16d0a8bcbd4c95dd1a301f5477baf331 |
| SHA1 | fc87546d0b2729d0120ce7bb53884d0f03651765 |
| SHA256 | 70c40438ca2493e0bb5717ebcaf4c8f3cb670761463c3d8dd84646ee65e5cd3f |
| SHA512 | b554386babd36aae3e7dc6b2926e42176c21cafcf4406e4f71b94bd6bc1c3cc26dba0c4f5a1af3c94e2b623b3c783101f5a28f9dee35468ed217aa36496e275c |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 6e68805f0661dbeb776db896761d469f |
| SHA1 | 95e550b2f54e9167ae02f67e963703c593833845 |
| SHA256 | 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47 |
| SHA512 | 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d
| MD5 | bceb0378c3089b39ab86bdea6cd0ca3b |
| SHA1 | f0eff49f445b4186e8f3c45e0111d91655f00e6b |
| SHA256 | 70ec4829127eb434e7391065ebe48b74ea072cfa4a27b7267369422a0de459d7 |
| SHA512 | 64e8be49fac5a4857769e4ec0fac28f31d10075b58c86039bb6b6d2e9b4ddd1c4c7a3385717e450d8c19ceef3ce323b6c5ed1f4f6cdbb61ace01a61f102f76a9 |
memory/6704-870-0x00000000075A0000-0x00000000075B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 89c82822be2e2bf37b5d80d575ef2ec8 |
| SHA1 | 9fe2fad2faff04ad5e8d035b98676dedd5817eca |
| SHA256 | 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9 |
| SHA512 | 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101 |
C:\Users\Admin\AppData\Local\Temp\kos4.exe
| MD5 | 01707599b37b1216e43e84ae1f0d8c03 |
| SHA1 | 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2 |
| SHA256 | cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd |
| SHA512 | 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642 |
memory/7532-886-0x00000000001D0000-0x00000000001D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/7532-892-0x00007FF901C30000-0x00007FF9026F1000-memory.dmp
memory/7532-906-0x000000001AF30000-0x000000001AF40000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4f60648faf5b5a5b73305b28fd6be195 |
| SHA1 | 39f78d161054f165eca4bb7e573540a266250947 |
| SHA256 | 507997dcd2ffbd4ee0579646fd93507de6571a40f6c0f75cfaf1583dc1a4d356 |
| SHA512 | 6b911dc7f46514a0846488826fbf56822eda3822f4c24608a72c665fb866db45508d7254175e488f53cd9aa9749a11bb9a299a4981d4213498c91f20e2f3c407 |
memory/7980-918-0x0000000074070000-0x0000000074820000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
| MD5 | e66f6448c5609ef7ee0b2d220e289ded |
| SHA1 | 0992870010074965f3a05644713c6e1a62ad412b |
| SHA256 | 8a8a4bd3265874e840a69a2ad61936e5852ac38e476f11abee17448ec16f4eb7 |
| SHA512 | cc3386cc37939424475e48436af061824035b0af40b132f2a05a6eb6acc46ce74bc123e39ea812172eaba4558a78a1bf1240289c18e2b1250d2f8e266dee2ad1 |
memory/8108-972-0x0000000000400000-0x0000000000418000-memory.dmp
memory/7532-979-0x00007FF901C30000-0x00007FF9026F1000-memory.dmp
memory/7644-1035-0x0000000000710000-0x0000000000AF0000-memory.dmp
memory/7644-1037-0x0000000074070000-0x0000000074820000-memory.dmp
memory/7324-1053-0x00000000023D0000-0x00000000023D9000-memory.dmp
memory/7324-1056-0x00000000007D0000-0x00000000008D0000-memory.dmp
memory/7548-1057-0x0000000000400000-0x0000000000409000-memory.dmp
memory/7548-1055-0x0000000000400000-0x0000000000409000-memory.dmp
memory/7336-1054-0x0000000000610000-0x0000000000611000-memory.dmp
memory/6704-1061-0x0000000008B30000-0x0000000008BA6000-memory.dmp
memory/6384-1062-0x00000000029E0000-0x0000000002DE2000-memory.dmp
memory/6384-1075-0x0000000002DF0000-0x00000000036DB000-memory.dmp
memory/6384-1078-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/7644-1060-0x00000000053A0000-0x000000000543C000-memory.dmp
memory/8100-1103-0x0000000000400000-0x0000000000461000-memory.dmp
memory/8100-1107-0x00000000001C0000-0x00000000001FE000-memory.dmp
memory/8108-1127-0x0000000000400000-0x0000000000418000-memory.dmp
memory/6704-1153-0x0000000008BE0000-0x0000000008BFE000-memory.dmp
memory/8100-1152-0x0000000074070000-0x0000000074820000-memory.dmp
memory/7644-1172-0x0000000074070000-0x0000000074820000-memory.dmp
memory/7472-1174-0x0000000000400000-0x0000000000611000-memory.dmp
memory/7472-1196-0x0000000000400000-0x0000000000611000-memory.dmp
memory/7336-1209-0x0000000000610000-0x0000000000611000-memory.dmp
memory/7472-1222-0x0000000000400000-0x0000000000611000-memory.dmp
memory/7308-1204-0x0000000000CA0000-0x0000000000CBE000-memory.dmp
memory/7548-1225-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3244-1223-0x0000000003210000-0x0000000003226000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
| MD5 | b6d627dcf04d04889b1f01a14ec12405 |
| SHA1 | f7292c3d6f2003947cc5455b41df5f8fbd14df14 |
| SHA256 | 9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf |
| SHA512 | 1eef46fcb568049edad6a6dac0ce6532185f15d2b4f9939853226a4f24e0732f637951c98f580efdb98ef396d3f4d9846bccffa22c0309b455432c98292af937 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
memory/8100-1261-0x00000000049A0000-0x0000000004A01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\350690463354
| MD5 | 02844b75c31183fb4d660c6d2cf85e93 |
| SHA1 | c3df89c32244d4e3f9cdd19a7343337029e062dc |
| SHA256 | 62701287b6b04aaa81715eb269d0ee256b93336eee221867b5118bccf7277e22 |
| SHA512 | 178bc9ebd612d21b1b90149bab1657db0af52044cad0d64f7d8bc832508fcbceceda84c77867c0a2025eec4bd12d475904d4045167da09f71b284a5b85c85a0e |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vtjgmgdg.qju.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | e0f17a4209c51d44d28e1d2e258e1ae4 |
| SHA1 | 3b2c08acb47c1de9a43e53445b9d6e34eeb511ec |
| SHA256 | feb714156efbd1d6473495686b3d545e7154e4d1f15a9e1b72b89c4a027f468e |
| SHA512 | c4ca214536f07d858442e9632a9dd80f15b9817b78f2c698f8146c33689d2071baf6fa274e609f492ab288971c380df54129a01e3543f99e2c4eac4856dafb0d |
memory/3172-1326-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3172-1331-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3172-1336-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | eb753a2da01719e245a07ecc63d620e2 |
| SHA1 | f933ecba17e0b99719184e984447e796281c177a |
| SHA256 | 1143a5c705716f84f593bbd2c3717f72779ace010ecc2c718cbaaace4d55c9ea |
| SHA512 | 827a56f298d2aa0c865743290dd8e6e43379717be5164f4f95de2f4bc206cfc6c4cdc54ec913960414a7f15c46dd234e4f354fbfff01d75dd73260be17325112 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d5993de453cea3a1e1ccb4d64edb7742 |
| SHA1 | 7487c59465d1749c02bc402e376c686abd26b606 |
| SHA256 | 78dfab1bc723d2fb5122d07c10521f90fde8472f6b0e2c3cc48c0052a6ce42b5 |
| SHA512 | bd5b66a5127a9b82b25e0b522356dd06bffea286785300bc0b73f3f18914823987769615f2d2b7e740df6a0cf235d4b6df5d752d9c5a78a9b8ff7b4d8f159a4d |
C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll
| MD5 | 1c27631e70908879e1a5a8f3686e0d46 |
| SHA1 | 31da82b122b08bb2b1e6d0c904993d6d599dc93a |
| SHA256 | 478aa272d465eaa49c2f12fc141af2c0581f569ccf67f628747d90cc03a1e6a9 |
| SHA512 | 7230ccad5e910f4f1aafb26642670c227a5d6e30f9c3de9a111e9c471651e54e352c56f34093667e6a51e78d01f3271c5e9d3248de5e1e82ae0e5d2aaea977dd |
C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll
| MD5 | ceffd8c6661b875b67ca5e4540950d8b |
| SHA1 | 91b53b79c98f22d0b8e204e11671d78efca48682 |
| SHA256 | da0bf5520986c2fb92fa9658ee2fcbb07ee531e09f901f299722c0d14e994ed2 |
| SHA512 | 6f78e3479c7b80cee0c2cea33a5b3e06c65b3e85a558f2df4b72211f714b81a2549daed0bc7ffe1456867b447ede9caeec73a6c4d2b345aad664d501212d07d4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1cffc2103155d513604aa964d3ded95c |
| SHA1 | e1294b1e18fa3e008bec4f6f0de7860b83b6d4ad |
| SHA256 | 476535087715af0ed6fff3b51fd664922746a0cdf08ac9bb22d1ed477d9928b2 |
| SHA512 | 2e8fe8f88c74092b35db8bb1fa18c9b7947ff4b8d6cb9f955dccbb3147ac1d66c73b4c8d146af5a2cbd22651be8647774981ad48e904c10c0309990abb82be33 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7af1c69f601d199c90ca7159efc51fa7 |
| SHA1 | f58cbbfa8853671a725b8a151e25ebd45a872bcb |
| SHA256 | 84ab2486c8673be0700bd7dcd3dcbed4d0ab6039ba699e270b9810ea7d753da1 |
| SHA512 | f2c30a6cfbc73e99282c5c062fd5e7d66995eb11854247f75eaae3f05208fab2965ec17524a1fc6cb283a36026c1b9b0b898cd49f95a7300c965f76298eeb576 |
C:\Users\Admin\AppData\Local\Temp\tmpB2D0.tmp
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\tmpB306.tmp
| MD5 | aeb9754f2b16a25ed0bd9742f00cddf5 |
| SHA1 | ef96e9173c3f742c4efbc3d77605b85470115e65 |
| SHA256 | df20bc98e43d13f417cd68d31d7550a1febdeaf335230b8a6a91669d3e69d005 |
| SHA512 | 725662143a3ef985f28e43cc2775e798c8420a6d115fb9506fdfcc283fc67054149e22c6bc0470d1627426c9a33c7174cefd8dc9756bf2f5fc37734d5fcecc75 |
C:\Users\Admin\AppData\Local\Temp\tmpB3B4.tmp
| MD5 | af9eeb61432e46ed96843ce9510c8f9b |
| SHA1 | c123b90010dc488843e33ca8f15492f1360f121e |
| SHA256 | 62311422c777320ff78a8949c79bd2948ee7ffc790addcc65ac154a5a6549e80 |
| SHA512 | e3942a197b726c8f20d4db0a91b48f5d91906ea18ecef918dfaf6d938c8fab917ef6cf1a92830e2aed70da43ac612c858ce932969d4760ea7c18859b2e8bff1b |
C:\Users\Admin\AppData\Local\Temp\tmpB38F.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\tmpB3F5.tmp
| MD5 | 901fa25be049ca92c32f1f7fa7628696 |
| SHA1 | 2079a7abb3d046c6e523f79cb22ee8395124cf71 |
| SHA256 | 827dab15697cb41725714d42533ec3d21190cb1b7396b160dbbec7cee7d550ef |
| SHA512 | 5cb42787d3635d4cc5d50f7f5e7827a6bab43378fbcd52546f5863e77decc949777bde788473d30f65efeb0a2ef5d0a4f523dd91ac77d57076430e8fc876f04b |
C:\Users\Admin\AppData\Local\Temp\tmpB430.tmp
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
memory/6384-1597-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/6384-1604-0x0000000000400000-0x0000000000D1B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1bd329bc99f51fc61195daad52320344 |
| SHA1 | 5354ace568a2ee5d97891f0ef5ebcc75bc35094a |
| SHA256 | 1ed75c1fb069e6c217fe44239c39e70555aa9ce678770734f42eb8a8a33b3585 |
| SHA512 | 5c23c61aa39d0866894f954313e52acd1381e49ccf6ee225e0c649f5825670df96823048ddc71e897f66d7d18919318b96367d8b3c71d1fff636bbd381d2fbe9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
memory/3932-1677-0x00007FF6BBB80000-0x00007FF6BC121000-memory.dmp