Malware Analysis Report

2025-06-16 01:30

Sample ID 231031-kva3esee78
Target NEAS.6f6fc13e7e619d425ea2149787617750.exe
SHA256 3089e03eb85658864d3e9f160de80d309273a8f0dc03cd435e81a24e31f2770b
Tags
amadey dcrat glupteba raccoon redline sectoprat smokeloader xmrig zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza pixelnew up3 backdoor paypal collection discovery dropper evasion infostealer loader miner persistence phishing rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3089e03eb85658864d3e9f160de80d309273a8f0dc03cd435e81a24e31f2770b

Threat Level: Known bad

The file NEAS.6f6fc13e7e619d425ea2149787617750.exe was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba raccoon redline sectoprat smokeloader xmrig zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza pixelnew up3 backdoor paypal collection discovery dropper evasion infostealer loader miner persistence phishing rat spyware stealer trojan

SectopRAT payload

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine payload

RedLine

xmrig

SectopRAT

Modifies Windows Defender Real-time Protection settings

SmokeLoader

Raccoon

ZGRat

Glupteba

Detect ZGRat V1

Raccoon Stealer payload

Amadey

DcRat

Glupteba payload

XMRig Miner payload

Stops running service(s)

Downloads MZ/PE file

Blocklisted process makes network request

Drops file in Drivers directory

Modifies Windows Firewall

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Windows security modification

Looks up external IP address via web service

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Detected potential entity reuse from brand paypal.

Launches sc.exe

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

Enumerates system info in registry

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

outlook_office_path

Suspicious use of SendNotifyMessage

outlook_win_path

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-31 08:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-31 08:54

Reported

2023-10-31 10:41

Platform

win10v2004-20231023-en

Max time kernel

79s

Max time network

157s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.6f6fc13e7e619d425ea2149787617750.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\E60E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\E60E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\E60E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\E60E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\E60E.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\160F.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1ECB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xX9Cy43.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Se34BR3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3au59mI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E1E4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E30E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DJ3mp5Dk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jZ5ai6Xa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UQ9te6sO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E542.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E60E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qw4rj3Rw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Wz07zT4.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E91E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lj227fw.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67C.exe N/A
N/A N/A C:\Windows\SysWOW64\cacls.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\160F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\192D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ECB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OT3GE.tmp\LzmwAqmV.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe N/A
N/A N/A C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\E60E.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\160F.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\160F.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\160F.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\160F.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\160F.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jZ5ai6Xa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UQ9te6sO.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qw4rj3Rw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\32.exe'\"" C:\Users\Admin\AppData\Local\Temp\32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\NEAS.6f6fc13e7e619d425ea2149787617750.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xX9Cy43.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\E1E4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DJ3mp5Dk.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Detected potential entity reuse from brand paypal.

phishing paypal

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LAudioConverter\is-F0350.tmp C:\Users\Admin\AppData\Local\Temp\is-OT3GE.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-7SO51.tmp C:\Users\Admin\AppData\Local\Temp\is-OT3GE.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\XML\Styles\is-7KALB.tmp C:\Users\Admin\AppData\Local\Temp\is-OT3GE.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-U9KBC.tmp C:\Users\Admin\AppData\Local\Temp\is-OT3GE.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\XML\Styles\is-05ONP.tmp C:\Users\Admin\AppData\Local\Temp\is-OT3GE.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\LAudioConverter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-OT3GE.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe C:\Users\Admin\AppData\Local\Temp\is-OT3GE.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-OT3GE.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-NI01G.tmp C:\Users\Admin\AppData\Local\Temp\is-OT3GE.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-PLFSD.tmp C:\Users\Admin\AppData\Local\Temp\is-OT3GE.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-VJVLF.tmp C:\Users\Admin\AppData\Local\Temp\is-OT3GE.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\XML\Styles\is-8VUE4.tmp C:\Users\Admin\AppData\Local\Temp\is-OT3GE.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-L3P8U.tmp C:\Users\Admin\AppData\Local\Temp\is-OT3GE.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-FUMK7.tmp C:\Users\Admin\AppData\Local\Temp\is-OT3GE.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-L8R5V.tmp C:\Users\Admin\AppData\Local\Temp\is-OT3GE.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-2NKBP.tmp C:\Users\Admin\AppData\Local\Temp\is-OT3GE.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-EC1SL.tmp C:\Users\Admin\AppData\Local\Temp\is-OT3GE.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-2T891.tmp C:\Users\Admin\AppData\Local\Temp\is-OT3GE.tmp\LzmwAqmV.tmp N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3au59mI.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3au59mI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3au59mI.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3au59mI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3au59mI.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3au59mI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E60E.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ECB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OT3GE.tmp\LzmwAqmV.tmp N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1800 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6f6fc13e7e619d425ea2149787617750.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xX9Cy43.exe
PID 1800 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6f6fc13e7e619d425ea2149787617750.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xX9Cy43.exe
PID 1800 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6f6fc13e7e619d425ea2149787617750.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xX9Cy43.exe
PID 4896 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xX9Cy43.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Se34BR3.exe
PID 4896 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xX9Cy43.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Se34BR3.exe
PID 4896 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xX9Cy43.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Se34BR3.exe
PID 4516 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Se34BR3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4516 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Se34BR3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4516 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Se34BR3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4516 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Se34BR3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4516 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Se34BR3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4516 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Se34BR3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4516 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Se34BR3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4516 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Se34BR3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4896 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xX9Cy43.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe
PID 4896 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xX9Cy43.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe
PID 4896 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xX9Cy43.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe
PID 4592 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4592 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4592 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4592 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4592 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4592 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4592 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4592 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4592 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4592 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4592 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4592 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4592 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4592 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4592 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4592 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1800 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6f6fc13e7e619d425ea2149787617750.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3au59mI.exe
PID 1800 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6f6fc13e7e619d425ea2149787617750.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3au59mI.exe
PID 1800 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\NEAS.6f6fc13e7e619d425ea2149787617750.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3au59mI.exe
PID 3224 wrote to memory of 4616 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E1E4.exe
PID 3224 wrote to memory of 4616 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E1E4.exe
PID 3224 wrote to memory of 4616 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E1E4.exe
PID 3224 wrote to memory of 1324 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E30E.exe
PID 3224 wrote to memory of 1324 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E30E.exe
PID 3224 wrote to memory of 1324 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E30E.exe
PID 4616 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\E1E4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DJ3mp5Dk.exe
PID 4616 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\E1E4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DJ3mp5Dk.exe
PID 4616 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\E1E4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DJ3mp5Dk.exe
PID 1720 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DJ3mp5Dk.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jZ5ai6Xa.exe
PID 1720 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DJ3mp5Dk.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jZ5ai6Xa.exe
PID 1720 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DJ3mp5Dk.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jZ5ai6Xa.exe
PID 3224 wrote to memory of 4912 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3224 wrote to memory of 4912 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2716 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jZ5ai6Xa.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UQ9te6sO.exe
PID 2716 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jZ5ai6Xa.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UQ9te6sO.exe
PID 2716 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jZ5ai6Xa.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UQ9te6sO.exe
PID 3224 wrote to memory of 1460 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E542.exe
PID 3224 wrote to memory of 1460 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E542.exe
PID 3224 wrote to memory of 1460 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E542.exe
PID 3224 wrote to memory of 5076 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E60E.exe
PID 3224 wrote to memory of 5076 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E60E.exe
PID 3224 wrote to memory of 5076 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E60E.exe
PID 1884 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UQ9te6sO.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qw4rj3Rw.exe
PID 1884 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UQ9te6sO.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qw4rj3Rw.exe
PID 1884 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UQ9te6sO.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qw4rj3Rw.exe
PID 3224 wrote to memory of 4516 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmd.exe
PID 3224 wrote to memory of 4516 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\cmd.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\160F.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\160F.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.6f6fc13e7e619d425ea2149787617750.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.6f6fc13e7e619d425ea2149787617750.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xX9Cy43.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xX9Cy43.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Se34BR3.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Se34BR3.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3au59mI.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3au59mI.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3656 -ip 3656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3656 -s 540

C:\Users\Admin\AppData\Local\Temp\E1E4.exe

C:\Users\Admin\AppData\Local\Temp\E1E4.exe

C:\Users\Admin\AppData\Local\Temp\E30E.exe

C:\Users\Admin\AppData\Local\Temp\E30E.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DJ3mp5Dk.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DJ3mp5Dk.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jZ5ai6Xa.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jZ5ai6Xa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E3F9.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UQ9te6sO.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UQ9te6sO.exe

C:\Users\Admin\AppData\Local\Temp\E542.exe

C:\Users\Admin\AppData\Local\Temp\E542.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qw4rj3Rw.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qw4rj3Rw.exe

C:\Users\Admin\AppData\Local\Temp\E60E.exe

C:\Users\Admin\AppData\Local\Temp\E60E.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Wz07zT4.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Wz07zT4.exe

C:\Users\Admin\AppData\Local\Temp\E6DB.exe

C:\Users\Admin\AppData\Local\Temp\E6DB.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Users\Admin\AppData\Local\Temp\E91E.exe

C:\Users\Admin\AppData\Local\Temp\E91E.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1124 -ip 1124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb960146f8,0x7ffb96014708,0x7ffb96014718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb960146f8,0x7ffb96014708,0x7ffb96014718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb960146f8,0x7ffb96014708,0x7ffb96014718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb960146f8,0x7ffb96014708,0x7ffb96014718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb960146f8,0x7ffb96014708,0x7ffb96014718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffb960146f8,0x7ffb96014708,0x7ffb96014718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb960146f8,0x7ffb96014708,0x7ffb96014718

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lj227fw.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lj227fw.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb960146f8,0x7ffb96014708,0x7ffb96014718

C:\Users\Admin\AppData\Local\Temp\FD33.exe

C:\Users\Admin\AppData\Local\Temp\FD33.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4952 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4952 -ip 4952

C:\Users\Admin\AppData\Local\Temp\32.exe

C:\Users\Admin\AppData\Local\Temp\32.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,17415244374629482097,15405687151174063914,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,17415244374629482097,15405687151174063914,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,1713442762992931718,15419018810013764630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,1713442762992931718,15419018810013764630,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2892 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1456,10664793621180808952,17780012138265315361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,10144665821369977742,2960388502994163397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2960 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2916 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,5010915828688973991,3727692112214688158,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2908 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,268153634122161187,8324594992865933488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,10144665821369977742,2960388502994163397,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,268153634122161187,8324594992865933488,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1456,10664793621180808952,17780012138265315361,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\67C.exe

C:\Users\Admin\AppData\Local\Temp\67C.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,5010915828688973991,3727692112214688158,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\1070.exe

C:\Users\Admin\AppData\Local\Temp\1070.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,17961674566853343661,6450613465846849984,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3

C:\Users\Admin\AppData\Local\Temp\192D.exe

C:\Users\Admin\AppData\Local\Temp\192D.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\160F.exe

C:\Users\Admin\AppData\Local\Temp\160F.exe

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1ECB.exe

C:\Users\Admin\AppData\Local\Temp\1ECB.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5688 -ip 5688

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 784

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

"C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F

C:\Users\Admin\AppData\Local\Temp\is-OT3GE.tmp\LzmwAqmV.tmp

"C:\Users\Admin\AppData\Local\Temp\is-OT3GE.tmp\LzmwAqmV.tmp" /SL5="$302D0,2998240,68096,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7412 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 7048 -ip 7048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7048 -s 572

C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe

"C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe" -s

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\ea7c8244c8" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\ea7c8244c8" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "Utsysc.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "Utsysc.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe

"C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe" -i

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4360 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4360 /prefetch:8

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "LAC1031-1"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ea7c8244c8" /P "Admin:N"&&CACLS "..\ea7c8244c8" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1

C:\Windows\system32\tar.exe

tar.exe -cf "C:\Users\Admin\AppData\Local\Temp\847444993605_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7116 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2096,10008982225289312149,860528902215074038,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6380 /prefetch:8

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
NL 194.169.175.118:80 194.169.175.118 tcp
US 8.8.8.8:53 118.175.169.194.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 www.epicgames.com udp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 accounts.google.com udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 store.steampowered.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 151.101.1.21:443 www.paypal.com tcp
US 151.101.1.21:443 www.paypal.com tcp
US 3.227.131.25:443 www.epicgames.com tcp
US 3.227.131.25:443 www.epicgames.com tcp
JP 23.207.106.113:443 steamcommunity.com tcp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 149.40.62.171:15666 tcp
US 8.8.8.8:53 25.131.227.3.in-addr.arpa udp
US 8.8.8.8:53 113.106.207.23.in-addr.arpa udp
US 8.8.8.8:53 162.47.239.18.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
IT 185.196.9.171:80 185.196.9.171 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 171.62.40.149.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 171.9.196.185.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 64.185.227.156:443 api.ipify.org tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 156.227.185.64.in-addr.arpa udp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
US 8.8.8.8:53 facebook.com udp
FI 77.91.124.1:80 77.91.124.1 tcp
DE 148.251.234.93:443 iplogger.com tcp
IE 163.70.151.35:443 facebook.com tcp
IE 163.70.151.35:443 facebook.com tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 stim.graspalace.com udp
US 188.114.97.0:80 stim.graspalace.com tcp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.151.35:443 fbcdn.net tcp
IE 163.70.151.35:443 fbcdn.net tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
FI 77.91.124.86:19084 tcp
US 194.49.94.11:80 194.49.94.11 tcp
US 8.8.8.8:53 11.94.49.194.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 185.196.8.176:80 185.196.8.176 tcp
US 185.196.8.176:80 185.196.8.176 tcp
US 8.8.8.8:53 tracking.epicgames.com udp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
US 8.8.8.8:53 www.paypalobjects.com udp
US 54.166.243.177:443 tracking.epicgames.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 54.166.243.177:443 tracking.epicgames.com tcp
US 18.239.36.73:443 static-assets-prod.unrealengine.com tcp
US 18.239.36.73:443 static-assets-prod.unrealengine.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 i.ytimg.com udp
NL 142.250.179.150:443 i.ytimg.com tcp
US 8.8.8.8:53 176.8.196.185.in-addr.arpa udp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 73.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 177.243.166.54.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 150.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
US 185.196.8.176:80 185.196.8.176 tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 185.196.8.176:80 185.196.8.176 tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 169.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 c.paypal.com udp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 18.239.36.105:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 105.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 login.steampowered.com udp
JP 23.207.106.113:443 login.steampowered.com tcp
US 192.55.233.1:443 tcp
US 8.8.8.8:53 www.recaptcha.net udp
US 8.8.8.8:53 host-file-host6.com udp
NL 172.217.168.227:443 www.recaptcha.net tcp
US 8.8.8.8:53 host-host-file8.com udp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.1.35:443 t.paypal.com tcp
US 192.55.233.1:443 tcp
US 95.214.26.28:80 host-host-file8.com tcp
US 8.8.8.8:53 227.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 35.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 28.26.214.95.in-addr.arpa udp
NL 172.217.168.227:443 www.recaptcha.net udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 sentry.io udp
US 35.186.247.156:443 sentry.io tcp
US 8.8.8.8:53 156.247.186.35.in-addr.arpa udp
US 8.8.8.8:53 api.steampowered.com udp
JP 23.207.106.113:443 api.steampowered.com tcp
US 8.8.8.8:53 talon-website-prod.ecosec.on.epicgames.com udp
US 104.18.41.136:443 talon-website-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 136.41.18.104.in-addr.arpa udp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 b.stats.paypal.com udp
US 64.4.245.84:443 b.stats.paypal.com tcp
US 8.8.8.8:53 dub.stats.paypal.com udp
US 64.4.245.84:443 dub.stats.paypal.com tcp
US 8.8.8.8:53 84.245.4.64.in-addr.arpa udp
US 8.8.8.8:53 c6.paypal.com udp
US 151.101.1.35:443 c6.paypal.com tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 talon-service-prod.ecosec.on.epicgames.com udp
US 104.18.41.136:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 104.18.41.136:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 104.18.41.136:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 js.hcaptcha.com udp
US 104.19.219.90:443 js.hcaptcha.com tcp
US 8.8.8.8:53 90.219.19.104.in-addr.arpa udp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 8.8.8.8:53 www.epicgames.com udp
US 8.8.8.8:53 hcaptcha.com udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 216.58.208.98:443 googleads.g.doubleclick.net tcp
FI 77.91.124.86:19084 tcp
GB 216.58.208.98:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 42bf3981-224e-407d-9dfa-7bd583dbb622.uuid.statsexplorer.org udp
US 8.8.8.8:53 98.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.65.182:14433 xmr-eu1.nanopool.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xX9Cy43.exe

MD5 ec2dbbb88a6674002f2e3b1f2e10113f
SHA1 a90a894c14972218527fe563ad74ca6576d4b762
SHA256 03d08349294ef44c9e1e521d0bf918c84e69d70bf6f7c6d5de9a94f29d6f471f
SHA512 0474d8fd2b0b765c756b67c534d2cb6515d737b08f5c8e7534434bcef3feaa0a3d97e8563ae344f57c39bf0b3efa97fe153dc6bb142efdbe87c529b3c7bf4da4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xX9Cy43.exe

MD5 ec2dbbb88a6674002f2e3b1f2e10113f
SHA1 a90a894c14972218527fe563ad74ca6576d4b762
SHA256 03d08349294ef44c9e1e521d0bf918c84e69d70bf6f7c6d5de9a94f29d6f471f
SHA512 0474d8fd2b0b765c756b67c534d2cb6515d737b08f5c8e7534434bcef3feaa0a3d97e8563ae344f57c39bf0b3efa97fe153dc6bb142efdbe87c529b3c7bf4da4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Se34BR3.exe

MD5 630074ba97288fe53a1fb9260e1eb64d
SHA1 e04023d2354d98362e785e359c8ff221a1cc2dfc
SHA256 d71823263c419a4cae4d901b799f5849761d100c387f19247059c73e86f8f8bc
SHA512 65ae9fa8205a6090c7769bbfb46b7a0daf55d1e27795de07f34e97c46caff831066dfcb0842604ef6c603863b6d515dcce10a57f7b1b224f103eeb11092ae2ae

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Se34BR3.exe

MD5 630074ba97288fe53a1fb9260e1eb64d
SHA1 e04023d2354d98362e785e359c8ff221a1cc2dfc
SHA256 d71823263c419a4cae4d901b799f5849761d100c387f19247059c73e86f8f8bc
SHA512 65ae9fa8205a6090c7769bbfb46b7a0daf55d1e27795de07f34e97c46caff831066dfcb0842604ef6c603863b6d515dcce10a57f7b1b224f103eeb11092ae2ae

memory/3436-14-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe

MD5 7ae896700c6a7c8ca974166315d197bb
SHA1 a6b6520d103807edaef30eea48503a21233f5bc8
SHA256 16d8fb105ca3765d9a91ce2f0aebd4a9d31ab90ab888f4f8e7e7090547cb34b8
SHA512 e933efde83e12c2854e1ea5a6337a5019f15a7196212c0c9015f91196d34e8e33ffada806dd873c4f79ee0e575bfcdeea483763d7844cc93b83bef0ec358b8d1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2vL0222.exe

MD5 7ae896700c6a7c8ca974166315d197bb
SHA1 a6b6520d103807edaef30eea48503a21233f5bc8
SHA256 16d8fb105ca3765d9a91ce2f0aebd4a9d31ab90ab888f4f8e7e7090547cb34b8
SHA512 e933efde83e12c2854e1ea5a6337a5019f15a7196212c0c9015f91196d34e8e33ffada806dd873c4f79ee0e575bfcdeea483763d7844cc93b83bef0ec358b8d1

memory/3436-18-0x0000000073DC0000-0x0000000074570000-memory.dmp

memory/3656-19-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3656-20-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3656-21-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3656-25-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3au59mI.exe

MD5 0200021c4f99e3f2cf5ab0816ef5f028
SHA1 99a6c40efcfe3fe99ca0097e8d65a117725e6449
SHA256 2dca791eb454a6f21d8b868b749b3acde880f891794f77b09d126e12114b3935
SHA512 3d7b282636082958ec350de624d1783e902e4ceb0e03200c07e838767d375f3de232c6d6e8b9375a27634695d6f2e282f99aee20db5de8897dd193c487f55f18

memory/3852-27-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3au59mI.exe

MD5 0200021c4f99e3f2cf5ab0816ef5f028
SHA1 99a6c40efcfe3fe99ca0097e8d65a117725e6449
SHA256 2dca791eb454a6f21d8b868b749b3acde880f891794f77b09d126e12114b3935
SHA512 3d7b282636082958ec350de624d1783e902e4ceb0e03200c07e838767d375f3de232c6d6e8b9375a27634695d6f2e282f99aee20db5de8897dd193c487f55f18

memory/3224-28-0x0000000002910000-0x0000000002926000-memory.dmp

memory/3852-29-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3436-32-0x0000000073DC0000-0x0000000074570000-memory.dmp

memory/3436-34-0x0000000073DC0000-0x0000000074570000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E1E4.exe

MD5 f0474869cf91264a91dd2ac0619bd399
SHA1 341e728017656dd0fc6c0cc0679ad93c3e36ff7c
SHA256 f675d5038b35f0bf9523a3e732b542f22246e799517add0a6bd3bfc018a8cfae
SHA512 746a5396af402b5781d572ad4678a2c1dbc824c19026c5bcfbcf81d6ab0ebc50d29335bbe76d5d3fb596fcc337410141522e3222143cb579ac8a0aba5cc97341

C:\Users\Admin\AppData\Local\Temp\E1E4.exe

MD5 f0474869cf91264a91dd2ac0619bd399
SHA1 341e728017656dd0fc6c0cc0679ad93c3e36ff7c
SHA256 f675d5038b35f0bf9523a3e732b542f22246e799517add0a6bd3bfc018a8cfae
SHA512 746a5396af402b5781d572ad4678a2c1dbc824c19026c5bcfbcf81d6ab0ebc50d29335bbe76d5d3fb596fcc337410141522e3222143cb579ac8a0aba5cc97341

C:\Users\Admin\AppData\Local\Temp\E30E.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\E30E.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DJ3mp5Dk.exe

MD5 3ef62f20741df55e8173081751beb2c9
SHA1 127339663b629978c8004e66d94726850a701343
SHA256 1ce4d192fecd05eea816c875174a240cbfb609c3982fba0e22cd4db81a4210b1
SHA512 ffa6f8e2bffb3436c0c9ceb25d4cc435271aeb48781cb294c30e37232adbae87bb77fa9a6edd6b2c4ce0dced0fb42c11f07567b87aa5c4c7c6f3a5867d410f00

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DJ3mp5Dk.exe

MD5 3ef62f20741df55e8173081751beb2c9
SHA1 127339663b629978c8004e66d94726850a701343
SHA256 1ce4d192fecd05eea816c875174a240cbfb609c3982fba0e22cd4db81a4210b1
SHA512 ffa6f8e2bffb3436c0c9ceb25d4cc435271aeb48781cb294c30e37232adbae87bb77fa9a6edd6b2c4ce0dced0fb42c11f07567b87aa5c4c7c6f3a5867d410f00

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jZ5ai6Xa.exe

MD5 d5b557fe71e341c0ebe19426958edd21
SHA1 ba88aee0c5e1caacf4d5503c5d56ff0e558e0859
SHA256 d113efd6ffd747963f2727a9084fcea465a1dfe6a25ed5f4ff5aada6b08aa61c
SHA512 1aaeb7e3b39b7ea17dc68a29ee652125a6cf43f871dc2d530143355a9f71a0c1a5d7872ebba4737f95f8c4d6b1eb75b019127ec76da429577c03637b3dcffdab

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jZ5ai6Xa.exe

MD5 d5b557fe71e341c0ebe19426958edd21
SHA1 ba88aee0c5e1caacf4d5503c5d56ff0e558e0859
SHA256 d113efd6ffd747963f2727a9084fcea465a1dfe6a25ed5f4ff5aada6b08aa61c
SHA512 1aaeb7e3b39b7ea17dc68a29ee652125a6cf43f871dc2d530143355a9f71a0c1a5d7872ebba4737f95f8c4d6b1eb75b019127ec76da429577c03637b3dcffdab

C:\Users\Admin\AppData\Local\Temp\E3F9.bat

MD5 e79bae3b03e1bff746f952a0366e73ba
SHA1 5f547786c869ce7abc049869182283fa09f38b1d
SHA256 900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63
SHA512 c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UQ9te6sO.exe

MD5 8765c5cb1dbcf331ff5cdfdd6ba5dd5f
SHA1 c69de8d33c672e8d2f656ef1aa4209d2b83a9871
SHA256 cacb7a4c8a2d0b408e839249e75a80ea9f3b97e569945e0aac0c9b87e507203b
SHA512 034d9ae17eac2dd1b4e4cea9836864c3742ecddc564a67193cda46e80bb0e191249bd228a2a5485bceecdeaf99632a6a6c195d54261968d021a4160cf6ff0915

C:\Users\Admin\AppData\Local\Temp\E542.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\E542.exe

MD5 73089952a99d24a37d9219c4e30decde
SHA1 8dfa37723afc72f1728ec83f676ffeac9102f8bd
SHA256 9aa54a5b73fe93d789ec1707ebd41ff824fcf6ba34b18d97ebc566cee8cbce60
SHA512 7088b995c0f6425ad4460b1f286d36e5b7ca3d79308febfac7f212e630b00569239e0b22455198739d20b1fbae1b70c24c22f41a34bab19a793aaa31164aa2d2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\UQ9te6sO.exe

MD5 8765c5cb1dbcf331ff5cdfdd6ba5dd5f
SHA1 c69de8d33c672e8d2f656ef1aa4209d2b83a9871
SHA256 cacb7a4c8a2d0b408e839249e75a80ea9f3b97e569945e0aac0c9b87e507203b
SHA512 034d9ae17eac2dd1b4e4cea9836864c3742ecddc564a67193cda46e80bb0e191249bd228a2a5485bceecdeaf99632a6a6c195d54261968d021a4160cf6ff0915

memory/1460-76-0x0000000073940000-0x00000000740F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qw4rj3Rw.exe

MD5 1677947e16b2a863ecb2889d001d1064
SHA1 45af1b0e5564451d0499e06db71752da7f9f74d4
SHA256 229771e8f4605a29aa8a4fdce6dfa5a2ccbb40d8daf446c306511cff44221998
SHA512 9407b4cd772eb050a6ef6c319f0a067c9b3e43ce4d83d7b9f1edbce3e2acc9e6c6ddff8a40540d2a0c219e83dd3ee9781c6da575d5a13fab9658cd88ae7c353c

memory/5076-84-0x0000000000790000-0x000000000079A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Qw4rj3Rw.exe

MD5 1677947e16b2a863ecb2889d001d1064
SHA1 45af1b0e5564451d0499e06db71752da7f9f74d4
SHA256 229771e8f4605a29aa8a4fdce6dfa5a2ccbb40d8daf446c306511cff44221998
SHA512 9407b4cd772eb050a6ef6c319f0a067c9b3e43ce4d83d7b9f1edbce3e2acc9e6c6ddff8a40540d2a0c219e83dd3ee9781c6da575d5a13fab9658cd88ae7c353c

C:\Users\Admin\AppData\Local\Temp\E60E.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

memory/5076-90-0x0000000073940000-0x00000000740F0000-memory.dmp

memory/1460-85-0x0000000000920000-0x000000000095E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Wz07zT4.exe

MD5 74e2748eed9db0c9b1386ff0f18187db
SHA1 f259f385bea3859fdfbb0c0e61db8ebb17df1f5f
SHA256 ecb64ce8130885de7edcbd4d3dd45015369ee69e011251922a704125b553f9db
SHA512 29ed506b25ce681524f61d8cd6b659b6868b77986a84422a3c1fd1c4ef30b47be0093dcfd562daaf7031664b7695b29e7a715d56fefa1f720846052ddd158d58

C:\Users\Admin\AppData\Local\Temp\E60E.exe

MD5 d2ed05fd71460e6d4c505ce87495b859
SHA1 a970dfe775c4e3f157b5b2e26b1f77da7ae6d884
SHA256 3a119008fd025a394f6fb93a0c941e1dc0fa1f9c7606a674388f21d99dfe116f
SHA512 a15efc7c5ddd82ea612444b5df530d11da43bbaaf7f7ae4801c8063c8cffe4538cd47e27639e380b9d1c7e342575169e06af4b298a8faf635865dc4f9dc11b8e

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\E6DB.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\E6DB.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Wz07zT4.exe

MD5 74e2748eed9db0c9b1386ff0f18187db
SHA1 f259f385bea3859fdfbb0c0e61db8ebb17df1f5f
SHA256 ecb64ce8130885de7edcbd4d3dd45015369ee69e011251922a704125b553f9db
SHA512 29ed506b25ce681524f61d8cd6b659b6868b77986a84422a3c1fd1c4ef30b47be0093dcfd562daaf7031664b7695b29e7a715d56fefa1f720846052ddd158d58

C:\Users\Admin\AppData\Local\Temp\E91E.exe

MD5 e506a24a96ce9409425a4b1761374bb1
SHA1 27455f1cd65d796ba50397f06aa4961b7799e98a
SHA256 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
SHA512 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612

C:\Users\Admin\AppData\Local\Temp\E91E.exe

MD5 e506a24a96ce9409425a4b1761374bb1
SHA1 27455f1cd65d796ba50397f06aa4961b7799e98a
SHA256 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
SHA512 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612

memory/1460-105-0x0000000007BB0000-0x0000000008154000-memory.dmp

memory/4952-106-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1124-108-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1124-109-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1124-111-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4952-112-0x0000000000550000-0x00000000005AA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 916851e072fbabc4796d8916c5131092
SHA1 d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA256 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA512 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

memory/1460-117-0x00000000076A0000-0x0000000007732000-memory.dmp

memory/4952-118-0x0000000073940000-0x00000000740F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 df4fb359f7b2fa8af30bf98045c57c44
SHA1 6d507359e1fd5be8f7c01fd4b291f81cf9561378
SHA256 5ff7efcd90db74ff5a6fa467ba741889306ce510b95db8ebd3d5d292dfe587cc
SHA512 92195f5fe36acb84ce5aeedf8654c2ec1d71ebde1e04a5dbce11df2831c3e085c0cd7132ed2c4bddcc3fd1e546c06021dbe5b7364e86054e6cbd6806e7be0463

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 df4fb359f7b2fa8af30bf98045c57c44
SHA1 6d507359e1fd5be8f7c01fd4b291f81cf9561378
SHA256 5ff7efcd90db74ff5a6fa467ba741889306ce510b95db8ebd3d5d292dfe587cc
SHA512 92195f5fe36acb84ce5aeedf8654c2ec1d71ebde1e04a5dbce11df2831c3e085c0cd7132ed2c4bddcc3fd1e546c06021dbe5b7364e86054e6cbd6806e7be0463

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 84df16093540d8d88a327b849dd35f8c
SHA1 c6207d32a8e44863142213697984de5e238ce644
SHA256 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA512 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

memory/4832-134-0x0000000000740000-0x000000000077E000-memory.dmp

memory/4832-135-0x0000000073940000-0x00000000740F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 84df16093540d8d88a327b849dd35f8c
SHA1 c6207d32a8e44863142213697984de5e238ce644
SHA256 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA512 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 84df16093540d8d88a327b849dd35f8c
SHA1 c6207d32a8e44863142213697984de5e238ce644
SHA256 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA512 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 84df16093540d8d88a327b849dd35f8c
SHA1 c6207d32a8e44863142213697984de5e238ce644
SHA256 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA512 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 84df16093540d8d88a327b849dd35f8c
SHA1 c6207d32a8e44863142213697984de5e238ce644
SHA256 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA512 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 84df16093540d8d88a327b849dd35f8c
SHA1 c6207d32a8e44863142213697984de5e238ce644
SHA256 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA512 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 84df16093540d8d88a327b849dd35f8c
SHA1 c6207d32a8e44863142213697984de5e238ce644
SHA256 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA512 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 84df16093540d8d88a327b849dd35f8c
SHA1 c6207d32a8e44863142213697984de5e238ce644
SHA256 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA512 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 84df16093540d8d88a327b849dd35f8c
SHA1 c6207d32a8e44863142213697984de5e238ce644
SHA256 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA512 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 84df16093540d8d88a327b849dd35f8c
SHA1 c6207d32a8e44863142213697984de5e238ce644
SHA256 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA512 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 84df16093540d8d88a327b849dd35f8c
SHA1 c6207d32a8e44863142213697984de5e238ce644
SHA256 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA512 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 84df16093540d8d88a327b849dd35f8c
SHA1 c6207d32a8e44863142213697984de5e238ce644
SHA256 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA512 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lj227fw.exe

MD5 64c2a81b55b3e25b7657878bc78c458d
SHA1 32090859e4fa4f04c93a59569c7cdb875c2146b7
SHA256 bfa47bdef1d1c56bfada62ee69d72400c6685aa77b352de17e1b44d814e0bf47
SHA512 f75a07bfd91ba2638782ead6bcee39b9edba2523961157300a7234b44509f23d62679e947c1d52bcef1ac52b9b453531d0f93520c120276e8988bd8fefef3120

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lj227fw.exe

MD5 64c2a81b55b3e25b7657878bc78c458d
SHA1 32090859e4fa4f04c93a59569c7cdb875c2146b7
SHA256 bfa47bdef1d1c56bfada62ee69d72400c6685aa77b352de17e1b44d814e0bf47
SHA512 f75a07bfd91ba2638782ead6bcee39b9edba2523961157300a7234b44509f23d62679e947c1d52bcef1ac52b9b453531d0f93520c120276e8988bd8fefef3120

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 df4fb359f7b2fa8af30bf98045c57c44
SHA1 6d507359e1fd5be8f7c01fd4b291f81cf9561378
SHA256 5ff7efcd90db74ff5a6fa467ba741889306ce510b95db8ebd3d5d292dfe587cc
SHA512 92195f5fe36acb84ce5aeedf8654c2ec1d71ebde1e04a5dbce11df2831c3e085c0cd7132ed2c4bddcc3fd1e546c06021dbe5b7364e86054e6cbd6806e7be0463

C:\Users\Admin\AppData\Local\Temp\E91E.exe

MD5 e506a24a96ce9409425a4b1761374bb1
SHA1 27455f1cd65d796ba50397f06aa4961b7799e98a
SHA256 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
SHA512 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612

C:\Users\Admin\AppData\Local\Temp\E91E.exe

MD5 e506a24a96ce9409425a4b1761374bb1
SHA1 27455f1cd65d796ba50397f06aa4961b7799e98a
SHA256 880265cb3889dd109ac84a6756367ae56b73b483343a84a42fb35d16c816ec71
SHA512 6e3bf3ba5a551d4f46130b42f41e3c36ec29024acd3ef05d95c31edc207378800d31137a27e975e6bd9e09ae41feabd197db920404972449132912478b0ad612

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 84df16093540d8d88a327b849dd35f8c
SHA1 c6207d32a8e44863142213697984de5e238ce644
SHA256 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA512 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

C:\Users\Admin\AppData\Local\Temp\FD33.exe

MD5 f99fa1c0d1313b7a5dc32cd58564671d
SHA1 0e3ada17305b7478bb456f5ad5eb73a400a78683
SHA256 8a964d8fb52489ba9086bf0ab5cf8ca7822fe698d03e5e6d5174640f52b8c5ee
SHA512 bbee03761f2ffe4ab99d3e2dd02f49460b1100583ceb0e06f2765eff776d3167880a8dbbb8079c659d39fc3cc8e24dfdd8395ced3eeb6a13ef598ba8b9269a25

C:\Users\Admin\AppData\Local\Temp\FD33.exe

MD5 f99fa1c0d1313b7a5dc32cd58564671d
SHA1 0e3ada17305b7478bb456f5ad5eb73a400a78683
SHA256 8a964d8fb52489ba9086bf0ab5cf8ca7822fe698d03e5e6d5174640f52b8c5ee
SHA512 bbee03761f2ffe4ab99d3e2dd02f49460b1100583ceb0e06f2765eff776d3167880a8dbbb8079c659d39fc3cc8e24dfdd8395ced3eeb6a13ef598ba8b9269a25

memory/1460-173-0x0000000073940000-0x00000000740F0000-memory.dmp

memory/5252-174-0x0000000000FB0000-0x0000000001994000-memory.dmp

memory/5252-175-0x0000000073940000-0x00000000740F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 84df16093540d8d88a327b849dd35f8c
SHA1 c6207d32a8e44863142213697984de5e238ce644
SHA256 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA512 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

C:\Users\Admin\AppData\Local\Temp\32.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 84df16093540d8d88a327b849dd35f8c
SHA1 c6207d32a8e44863142213697984de5e238ce644
SHA256 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA512 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 84df16093540d8d88a327b849dd35f8c
SHA1 c6207d32a8e44863142213697984de5e238ce644
SHA256 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA512 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 84df16093540d8d88a327b849dd35f8c
SHA1 c6207d32a8e44863142213697984de5e238ce644
SHA256 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA512 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 84df16093540d8d88a327b849dd35f8c
SHA1 c6207d32a8e44863142213697984de5e238ce644
SHA256 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA512 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 84df16093540d8d88a327b849dd35f8c
SHA1 c6207d32a8e44863142213697984de5e238ce644
SHA256 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA512 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

\??\pipe\LOCAL\crashpad_1992_BFTLOXZOESLRRHQC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 84df16093540d8d88a327b849dd35f8c
SHA1 c6207d32a8e44863142213697984de5e238ce644
SHA256 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA512 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 84df16093540d8d88a327b849dd35f8c
SHA1 c6207d32a8e44863142213697984de5e238ce644
SHA256 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA512 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 84df16093540d8d88a327b849dd35f8c
SHA1 c6207d32a8e44863142213697984de5e238ce644
SHA256 220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c
SHA512 3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d20c6a9b348365874b49db7c1545aaff
SHA1 4e808758d7502ba908539e38c8ceeea8ee42e22e
SHA256 d1706b7147d3e0b484fad76c117ce2ccf0f7d472d1092bbe1a1ffd7151244697
SHA512 719fa0ea4f82bef100242e90ad3090c88bd7804f57b323f5d17d363b63cd6b58cae85744fa64054601aa8b422b7933132a469b2794b0561b67ee4e47f3750bee

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8869c8823f9e920365591a4fbc0d4d67
SHA1 201eccde846e1159799f7a1299294bef8229d9f6
SHA256 bd64ff8fb6bc7e1104c5530217218911048b34edd00b0bb078cb51b0bda88b70
SHA512 7a6650b640017657331a4465f419f010061f95ac5b5c64ce953d6732c3be0f0631dabaca245ce41034389b30694127fd188f4f623dfdf642caa7ed8a83178986

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d1235c424c8869a4e0f8c3cd3a5bc743
SHA1 7a2568d081edc837821be079e0acc8638c4a0747
SHA256 09641245cd98f5bebc0f1ce5312b003f4d55e3a272026446e380bc5bd32e62d1
SHA512 4c63742bbe4cf10b6a55b6771950c1806c43f5f708e638ca73fbe3939db176a14e584a70df69aeeb8502f4fb258145dcaec3b41c3e98f6ef0b30d3be43c6c004

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8a36bd770eb2c37e698bbd93c4433500
SHA1 f69f3b75849259b54916d9c67cc4a4bb974e3120
SHA256 c3103939f2ba647dd5e7cf7531f51825b49b9340ead1adc28f47481bde5021a4
SHA512 52675ebee30635ce17ee6f90e8a945a6d76baea476a6357d48d1b85bd894f554793f5fe1b7bdcaf3510f96f8af354e6cd960d5d9a66ab21aadebbffea5004458

memory/5076-265-0x0000000073940000-0x00000000740F0000-memory.dmp

memory/4832-266-0x00000000076F0000-0x0000000007700000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bd7037a99ac8c0870e9bc3215ffd0f62
SHA1 32ab20dff6e2542ba92a75f78836e5877559994e
SHA256 e7fb614a81a3537e38ad26705a0b349fdf014598679828091fa3d77adcca7363
SHA512 1961fda98823e208e1aeec19c704a4cd80da40a8e604b08287cafc0b29ee3c61ea2180d3c2e1a7c51b7628db295fbb68c66aff82c54a0ee6e3c9eceefb369034

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fe0e94e42ff602a304dcbf143c8d3f7b
SHA1 1bc1fbac042631528a801010063c8d8b560f7f74
SHA256 f6a59745f5b5e9f00595ee7336aef2230521657fb5b9716032feae289422b8ee
SHA512 e5fc3f9453b997258ca09a3d8f600c23176fc1cc08442fda987ed1ee2b8bfee85ebb9e0f97ab368a7de9c4c0b8364ce83fdd6adefaa7f226be6d94e91dd3da94

C:\Users\Admin\AppData\Local\Temp\32.exe

MD5 395e28e36c665acf5f85f7c4c6363296
SHA1 cd96607e18326979de9de8d6f5bab2d4b176f9fb
SHA256 46af9af74a5525e6315bf690c664a1ad46452fef15b7f3aecb6216ad448befaa
SHA512 3d22e98b356986af498ea2937aa388aeb1ac6edfeca784aae7f6628a029287c3daebcc6ab5f8e0ef7f9d546397c8fd406a8cdaf0b46dcc4f8716a69d6fb873de

memory/6160-273-0x00000000000A0000-0x0000000000480000-memory.dmp

memory/1460-267-0x00000000078E0000-0x00000000078F0000-memory.dmp

memory/6160-274-0x0000000073940000-0x00000000740F0000-memory.dmp

memory/6160-280-0x0000000004D30000-0x0000000004DCC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f1efb0bea38e51ef8a9751901c282981
SHA1 172271ad6dc9aaae09d89f436d5d13f954ed5924
SHA256 480a8d0cbed58861441807c09b1485b715a0ab4f16c310d2e53abe14bfd1bca6
SHA512 d05c0d60540f4cbaff5d636c6ee79b8f3c8ffffbf98dc7bc52ae88bbdd87be87b393bbaccb4146bcce892d5300dcb55d8b570ed6004ce5053338cc88bf07fe74

memory/4952-320-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4832-311-0x0000000007520000-0x000000000752A000-memory.dmp

memory/4952-343-0x0000000073940000-0x00000000740F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 cc15c12e750b174636267996d821a272
SHA1 40eb83028025b747bad9f6be83b9043d8c3657c5
SHA256 a6d5fd90ba04cfa2a43a4f17dce54852521da5185f441f7a3e1fba134b42d64a
SHA512 44af8903dd8dfdbf8157704da2922927eb93116c0ee697f5017fdc4647f686c36e516dd463235cc827d7b82e850e920068b02c187451ae39a157701e32d96fbf

memory/5688-373-0x0000000000400000-0x0000000000461000-memory.dmp

memory/5076-375-0x0000000073940000-0x00000000740F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/5688-384-0x00000000001C0000-0x00000000001FE000-memory.dmp

memory/7888-389-0x0000000000A60000-0x0000000000A68000-memory.dmp

memory/4116-391-0x0000000000F50000-0x0000000000F6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/7888-399-0x00007FFB927A0000-0x00007FFB93261000-memory.dmp

memory/5252-400-0x0000000073940000-0x00000000740F0000-memory.dmp

memory/5688-401-0x0000000073940000-0x00000000740F0000-memory.dmp

memory/7888-402-0x000000001B730000-0x000000001B740000-memory.dmp

memory/4116-407-0x0000000005830000-0x000000000586C000-memory.dmp

memory/4832-409-0x00000000077C0000-0x000000000780C000-memory.dmp

memory/4116-425-0x0000000005820000-0x0000000005830000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fb5ef8ca9b887abaa5dc03a5a5ba6abf
SHA1 252c7a95225c705a2dd88bc934df9e67b7d71896
SHA256 705c57ef0835b4ef3a9853c4bb7d680f6df3076b02fce943961b53495fe85f34
SHA512 2da88b41eb191f823439a1551a581b404025d4c20af0ee44855beaf807a3a0aa1a8b120ef82cad5b2a62ffdf93e8ee7bab444e100ba5e00e8ae01b0a32bc1bc2

memory/4116-408-0x0000000073940000-0x00000000740F0000-memory.dmp

memory/4832-406-0x0000000073940000-0x00000000740F0000-memory.dmp

memory/4116-404-0x0000000005790000-0x00000000057A2000-memory.dmp

memory/1460-403-0x0000000008780000-0x0000000008D98000-memory.dmp

memory/4832-405-0x0000000007FF0000-0x00000000080FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

MD5 b6d627dcf04d04889b1f01a14ec12405
SHA1 f7292c3d6f2003947cc5455b41df5f8fbd14df14
SHA256 9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf
SHA512 1eef46fcb568049edad6a6dac0ce6532185f15d2b4f9939853226a4f24e0732f637951c98f580efdb98ef396d3f4d9846bccffa22c0309b455432c98292af937

memory/5688-503-0x0000000004A00000-0x0000000004A61000-memory.dmp

memory/4832-505-0x00000000076F0000-0x0000000007700000-memory.dmp

memory/5688-515-0x0000000000400000-0x0000000000461000-memory.dmp

memory/6160-518-0x0000000002810000-0x0000000002818000-memory.dmp

memory/5688-520-0x0000000073940000-0x00000000740F0000-memory.dmp

memory/6208-526-0x0000000000400000-0x0000000000418000-memory.dmp

memory/6160-527-0x0000000004F90000-0x0000000005122000-memory.dmp

memory/7888-536-0x00007FFB927A0000-0x00007FFB93261000-memory.dmp

memory/6160-558-0x0000000004F80000-0x0000000004F90000-memory.dmp

memory/6160-559-0x0000000004F80000-0x0000000004F90000-memory.dmp

memory/6160-576-0x0000000004F80000-0x0000000004F90000-memory.dmp

memory/6160-560-0x0000000004F80000-0x0000000004F90000-memory.dmp

memory/6160-557-0x0000000004F80000-0x0000000004F90000-memory.dmp

memory/6160-556-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

memory/7048-577-0x0000000000400000-0x000000000041B000-memory.dmp

memory/6160-579-0x0000000004F80000-0x0000000004F90000-memory.dmp

memory/6160-580-0x0000000005640000-0x0000000005740000-memory.dmp

memory/6160-587-0x0000000005640000-0x0000000005740000-memory.dmp

memory/464-590-0x0000000000920000-0x0000000000929000-memory.dmp

memory/7048-589-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4760-597-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4524-634-0x0000000000400000-0x0000000000611000-memory.dmp

memory/4524-653-0x0000000000400000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\847444993605

MD5 4b61c23d2c45b732efedd4ac66545928
SHA1 310441f41bbdfebd933cd478cec5472c410bfe24
SHA256 75ba899f20d8dd4877b94410e0819813768d98396f01f809eaa10c4b84087408
SHA512 5138234ff561be19a1892e4e0c12434e69230689adae3a463acb3394334a50101f8010a9eeede08070cfbcb7ec9eb6bea18d95cf38d96f6a52866971719c260a

memory/3224-673-0x0000000002A00000-0x0000000002A16000-memory.dmp

memory/4760-675-0x0000000000400000-0x0000000000409000-memory.dmp

memory/7048-595-0x0000000000400000-0x000000000041B000-memory.dmp

memory/6160-593-0x0000000005640000-0x0000000005740000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 918ecd7940dcab6b9f4b8bdd4d3772b2
SHA1 7c0c6962a6cd37d91c2ebf3ad542b3876dc466e4
SHA256 3123072fba0ea8e8f960dd213659a0c96ce2b58683593b8ea84efac772b25175
SHA512 c96044501a0a6a65140bc7710a81d29dac35fc6a6fd18fbb4fa5d584e9dc79a059e51cbe063ca496d72558e459ffa6c2913f3893f0a3c0f8002bbca1d1b98ea2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a41cdcabc75ec0cfbfa3906af4bdffa8
SHA1 ecefcedaaaa551d27c1277ba4285ed5166e484a3
SHA256 f1e77637c8b1741c051b524dacf45cbd2a960674520a9769feb2f0b9d32b5c72
SHA512 1ddd53b9f8918f2097e6efa4da012ad2495997979e4fb50221f647aae97fbfe1d704b75249bf3e409e4186cafa8f127203de2b7a471a884c013ba2a9da7bd28a

memory/6160-524-0x0000000073940000-0x00000000740F0000-memory.dmp

memory/6208-519-0x0000000000400000-0x0000000000418000-memory.dmp

memory/6160-516-0x00000000027F0000-0x00000000027FA000-memory.dmp

memory/1460-514-0x00000000078E0000-0x00000000078F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 7e9a2a52576c56760174d96326844bf6
SHA1 a1a7e537901f00f8e5eb1757043032d533398d8a
SHA256 e04c9a1f1b4610ecb894769f13f50f2c62049dd8e90d7b3f3bc6a28d3d21bd4a
SHA512 9b3da96429fb67a28b3c3f9924e485c4fd2acb2bcbfcd45efbb19f4987ce8950874514c055e46e0d440d8316d401f626dc774c70b0e04e56d98e46dd6ce62a64

C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll

MD5 1c27631e70908879e1a5a8f3686e0d46
SHA1 31da82b122b08bb2b1e6d0c904993d6d599dc93a
SHA256 478aa272d465eaa49c2f12fc141af2c0581f569ccf67f628747d90cc03a1e6a9
SHA512 7230ccad5e910f4f1aafb26642670c227a5d6e30f9c3de9a111e9c471651e54e352c56f34093667e6a51e78d01f3271c5e9d3248de5e1e82ae0e5d2aaea977dd

memory/7672-716-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll

MD5 ceffd8c6661b875b67ca5e4540950d8b
SHA1 91b53b79c98f22d0b8e204e11671d78efca48682
SHA256 da0bf5520986c2fb92fa9658ee2fcbb07ee531e09f901f299722c0d14e994ed2
SHA512 6f78e3479c7b80cee0c2cea33a5b3e06c65b3e85a558f2df4b72211f714b81a2549daed0bc7ffe1456867b447ede9caeec73a6c4d2b345aad664d501212d07d4

C:\Users\Admin\AppData\Local\Temp\tmp65C0.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp65D6.tmp

MD5 122f66ac40a9566deec1d78e88d18851
SHA1 51f5c72fb7ab42e8c6020db2f0c4b126412f493d
SHA256 c22d4d23fefc91648b906d01d7184e1fb257a6914eb949612c0fc8b524e84e04
SHA512 39564f0c8a900d55a0e2ef787b69a75b2234a7a9f1f576d23ad593895196fc1b25dec9ae028dd7300a3f4d086c3e3980ac2a4403d92e05aee543ffed74b744ff

C:\Users\Admin\AppData\Local\Temp\tmp6631.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp6655.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\tmp666B.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp6686.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

memory/7672-912-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0cw01age.p2m.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 91f22ed8bac86b954211b412cc9d2dd6
SHA1 fc566525c0995fa9a6401a999bb5d318e4fc30d7
SHA256 0bbc640e859e2a90c02ab28838091d8e651aa5bc2c8cb4ad05738d4c4903e477
SHA512 c85cf52c6e5d59bd2f253453dfeb237fa0ae77445eb8e0a55e4995b62005270313b5e8e2d2fc7d98e109277acaa44197685ede0ac311b3f23ec647984b51b883

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e0a4a51f15258de69d81c8c4e657d285
SHA1 174a05436236ddbaf3966add6ad288f2456aaf2a
SHA256 2dd16ae0b32faf377267a3ca6cdb4ef736dc58b6826d26e12e4787db39c7d819
SHA512 cca47c0567c37bd4578096487c288cb091672d724851b1fb1cd644b173c89a2d51e8928739a6513dc00803e74827c71c9e5174b535df16dda8593d96e9046d5c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589749.TMP

MD5 0b71aa68c3643f0e628b3f8f4a1ffa90
SHA1 97dbf7469bd414d7d9bddedce3e0084e6eadac77
SHA256 229be6ce900a3d8a279dbd38d00cb7e8fb1a80fc4ab57cf4a44cc0962e3815aa
SHA512 4ca6cc02f5eeacaf9d2809addd56ff555b013ed4de09143b1afb8f48737a90530baeb3e1de7e20d2e8b57d0ed1e69e9bb1c4cbe52f755edafa7688923c0dfca5

memory/8144-1053-0x00007FF68DBD0000-0x00007FF68E171000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 710156dbad21250fa2197f087be85ee2
SHA1 3c6f7e0719c1e9c0a00491092a6015a64a35480b
SHA256 fdec863cb7a6eae85fce88301bb5192511c2127279bd65c2e04f89d338817793
SHA512 c15195807a77a0786d3b19b0482b2fb350346ab0bd4427c303ad6c7ecfa0323b3293de115261986de6913473ae295e4a94fada1ea0932005d9bdc02219ac4900

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 534ad64ae63c9354cb0a50fe8e796462
SHA1 5fc5914bd0da7fc7d9e1593d09d12a42b253a7a3
SHA256 3206ef19dd61ad905dc4425fe374e5c73239f74eb578e3dfb46e9e6c012e5e91
SHA512 4b9652e016d1cd8f2c79a39b90d63bfb5f8aa09c346fd0f71bc431158f8212c84afb0e635f3045c9b56e256b8ef0a0e218d9b89556470919c911207c7ac1a307

memory/8144-1145-0x00007FF68DBD0000-0x00007FF68E171000-memory.dmp

memory/7672-1162-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

MD5 990324ce59f0281c7b36fb9889e8887f
SHA1 35abc926cbea649385d104b1fd2963055454bf27
SHA256 67bcedd3040fc55d968bbe21df05c02b731181541aff4ae72b9205300a4a3ecc
SHA512 31e83da1ac217d25be6e7f35a041881b926f731fff69db6f144e4fe99b696a31f9ab7766ca22cf5a482743c2a2d00a699ca2c2d67837a86c471a2dd3bed9ea1f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0d04a2a1d92419d6614431dbab0e5488
SHA1 43cde5acdd9066eb29dc24d34e2d67224daaa5c8
SHA256 8573dd7c77b8f55bfc1a0348a4eaf3a8b3d71576386143e01aee26e082dac66f
SHA512 a9c6209978f2af32b43e4601ca0fc8d8ede0b2b5e6c6d42d14873294bce584b96916ef763e469de31cc022b88250c9011945e56d651d2165d2a8c90132c41414

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7a43dfe865cd7cd419a7cd99ddb90911
SHA1 2dfa2e15723ac6740d71347d758faa738bffa527
SHA256 6b44625169e6d102e4004f205e62eeacb90442f7217ced35d2a9c7a86d1db27a
SHA512 f8be0a4232009f1a8d0a7bd4bc1ab9e893d075acc0560caca451b379b9bffd99ecccd2c7ddf715c15fdffd196100946c02f424f02c8b9ef465e111cbda3b9a61

memory/7672-1248-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f262222548500aa3935d0300926bf724
SHA1 bfc75d3963b5bce2728e9ca8a46ef88d6f90d5f5
SHA256 2feaaef9b63f16bd80718b96046da418b6b50a413e465f71c6b3032a111f3268
SHA512 2e489eb6dff0259693f8cba76a24a55af51a23af9258f499c7fb3784c13863e05989d5bf313ee66401ed0454c28022e3cbf38612d4b5c5631f5dacc934fbeec8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 544ab8574d9ccf56914521f26c652f6b
SHA1 4e3d7f8d710144e0e7263b007f3ea0cf9107c24d
SHA256 ad9a7f9d9ba5e330bd71021f2bc1de049e8dd124f83370f11bbe00bf50cafffc
SHA512 aaa2197d99e100b8901aeb46c1dbcafeb0ca6dfc46003295ab6fb99959f95fe9c5316e3c04a7ffff994c7321d7f6e17a19c3889e44662082488c0d87482d863f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe591f94.TMP

MD5 8eaa42fdadd4956a5a86459b4bdf6fb2
SHA1 1bbfa678307b9bbaa0a0b6f871d2621c104ae401
SHA256 39659761197eb76bc0e47e61fa3071de0cab1753c6dd976f12b923133c4c5b90
SHA512 ca189b94123dbf5d2dde13bfae73a75119c7fc6053164058c730a797c74daa8cc37f4e1ae43dddc2429c33d78e7bd46aa777ccee08f19c404f69a3ceae662317

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 b6d38155ef0e7117aa116cef85830ddf
SHA1 b3393de96be4f61fdbb6c7a972a00df0c3365080
SHA256 1e6529931b332cb702ac253dea151f45eaa19ddf3e8adeb767bc624247b0a666
SHA512 61358035f37e52692f11d45b15031fb962c1317e5c1bdbb980339c4470b1e5440dd271ec0c35848299e549a6691d27e0a0beb6bb7c52aa4ed7197695a730d364

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fb90054a-c31d-4490-b246-3ed85e390138.tmp

MD5 543fa69006d17eed22095d238d5e55f3
SHA1 55019aac30de0bda9086cffbb11b9a83c2036e7a
SHA256 f713d250fd34eb0b6352af1c3ae4e656600966f3533d99e80472045d2511ab71
SHA512 1999efe9668a7ad0e210b6d76f1505def29002a313001b8aeaaadb4db8df17755bad1642341678715cd0b4e8bb3aa692dfc3d5f19d684acdf8b135697c87d971

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 91841e1570b11189f5c829d03d3cd774
SHA1 496445b42f1578211fc43cdd3cfbd72980f164b1
SHA256 cf07feccf2e131b534278044dddf047886c5de53f67f2a3aad3b33d1fe4db635
SHA512 a54b17a7be363a3cc0c3726a19d43256caa01d8b8b9659b435d02209041540a3dd08bff74a5f2617a066a55f4c0f177e4147d6b4bc0117274c2fcc6155b3b35f

C:\Users\Admin\AppData\Local\Temp\847444993605

MD5 f89c5f51e562c3b8a5cc0507315799a9
SHA1 2a41da429ddf263e8489fa285117ee101f001c15
SHA256 9f2222c828b7166f79a28be10db043efbc00200c233dab20d9fbb500fe0349b1
SHA512 2d1c16d2c6e788144dbb942fbf8fd62e38c46fc8a58ae4c0e9ef5b7a2864b942ca633d34788c933d3a6b204466d276fedf3c4591dc2fbcf50be1fa98280ce14d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 2044c4f199d083ce87e38a1b469e432e
SHA1 eb6f188943317dadc7963f17e2e27446d967f4ea
SHA256 01e2449ecf54d4e2c50990750d753a389779b2a393a3f180fbdcfed6f66d894b
SHA512 35dfba8a789685da96b1bec69b22ff747c412084c78869a2cfe37f931af61e392f97971acaf589242f608696d2324e00a27ad61f80fd82724f7e16d7a94879dd

memory/5212-1647-0x00007FF7C0E20000-0x00007FF7C13C1000-memory.dmp

memory/7776-1648-0x0000000001550000-0x0000000001570000-memory.dmp