Malware Analysis Report

2025-06-16 01:30

Sample ID 231031-lqk79sfc5y
Target b98a2ae72314e53a1dc9936278e5d5781688e343d4523b52d7659e7860672f76
SHA256 b98a2ae72314e53a1dc9936278e5d5781688e343d4523b52d7659e7860672f76
Tags
amadey dcrat glupteba raccoon redline sectoprat smokeloader xmrig zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza pixelnew up3 backdoor paypal collection discovery dropper evasion infostealer loader miner persistence phishing rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b98a2ae72314e53a1dc9936278e5d5781688e343d4523b52d7659e7860672f76

Threat Level: Known bad

The file b98a2ae72314e53a1dc9936278e5d5781688e343d4523b52d7659e7860672f76 was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba raccoon redline sectoprat smokeloader xmrig zgrat 6a6a005b9aa778f606280c5fa24ae595 @ytlogsbot grome kinza pixelnew up3 backdoor paypal collection discovery dropper evasion infostealer loader miner persistence phishing rat spyware stealer trojan upx

SmokeLoader

DcRat

Glupteba

Suspicious use of NtCreateUserProcessOtherParentProcess

RedLine payload

SectopRAT

SectopRAT payload

Raccoon

Glupteba payload

Amadey

RedLine

xmrig

Detect ZGRat V1

ZGRat

Raccoon Stealer payload

Modifies Windows Defender Real-time Protection settings

XMRig Miner payload

Modifies Windows Firewall

Blocklisted process makes network request

Downloads MZ/PE file

Stops running service(s)

Drops file in Drivers directory

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Reads user/profile data of web browsers

Windows security modification

Adds Run key to start application

Looks up external IP address via web service

Checks installed software on the system

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Detected potential entity reuse from brand paypal.

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

outlook_win_path

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Enumerates system info in registry

outlook_office_path

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Checks SCSI registry key(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-31 09:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-31 09:44

Reported

2023-10-31 09:46

Platform

win10v2004-20231020-en

Max time kernel

91s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b98a2ae72314e53a1dc9936278e5d5781688e343d4523b52d7659e7860672f76.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\FCE2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\FCE2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\FCE2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\FCE2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\FCE2.exe N/A

Raccoon

stealer raccoon

Raccoon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5mC4Wl2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2CFE.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4C22.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5859.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\243.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lU8Gt49.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SG3AY35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LG7lW98.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ek6NX36.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sr0FS20.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yK00wd9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PH93SN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4dS034DX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5mC4Wl2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6zu5RF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7pK5iC66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F7BE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Si4SR7iQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn6Lv6zN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EX9zq3Ho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HQ2ER5na.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1cJ14rw7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FBD8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FCE2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FF45.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ql467Em.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\243.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2CFE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3089.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3EF1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4655.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4C22.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5173.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5859.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\FCE2.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4C22.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4C22.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4C22.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4C22.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4C22.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn6Lv6zN.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\3089.exe'\"" C:\Users\Admin\AppData\Local\Temp\3089.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b98a2ae72314e53a1dc9936278e5d5781688e343d4523b52d7659e7860672f76.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SG3AY35.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LG7lW98.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sr0FS20.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\F7BE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Si4SR7iQ.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lU8Gt49.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ek6NX36.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EX9zq3Ho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HQ2ER5na.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Detected potential entity reuse from brand paypal.

phishing paypal

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LAudioConverter\is-C309N.tmp C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-R365V.tmp C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\XML\Styles\is-ULG0N.tmp C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
File created C:\Program Files (x86)\LAudioConverter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-2BCBP.tmp C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-EFHSB.tmp C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-IL84O.tmp C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\LAudioConverter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp N/A
File opened for modification C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-OCB2A.tmp C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-F16D5.tmp C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-JVAVP.tmp C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-G1T04.tmp C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-9CRF4.tmp C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-C5M58.tmp C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\XML\Styles\is-UCU2A.tmp C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\is-EVC17.tmp C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp N/A
File created C:\Program Files (x86)\LAudioConverter\XML\Styles\is-IA9QP.tmp C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PH93SN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PH93SN.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PH93SN.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PH93SN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PH93SN.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PH93SN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FCE2.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\243.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5859.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4976 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\b98a2ae72314e53a1dc9936278e5d5781688e343d4523b52d7659e7860672f76.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lU8Gt49.exe
PID 4976 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\b98a2ae72314e53a1dc9936278e5d5781688e343d4523b52d7659e7860672f76.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lU8Gt49.exe
PID 4976 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\b98a2ae72314e53a1dc9936278e5d5781688e343d4523b52d7659e7860672f76.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lU8Gt49.exe
PID 4632 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lU8Gt49.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SG3AY35.exe
PID 4632 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lU8Gt49.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SG3AY35.exe
PID 4632 wrote to memory of 3356 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lU8Gt49.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SG3AY35.exe
PID 3356 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SG3AY35.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LG7lW98.exe
PID 3356 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SG3AY35.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LG7lW98.exe
PID 3356 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SG3AY35.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LG7lW98.exe
PID 1176 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LG7lW98.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ek6NX36.exe
PID 1176 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LG7lW98.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ek6NX36.exe
PID 1176 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LG7lW98.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ek6NX36.exe
PID 860 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ek6NX36.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sr0FS20.exe
PID 860 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ek6NX36.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sr0FS20.exe
PID 860 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ek6NX36.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sr0FS20.exe
PID 408 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sr0FS20.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yK00wd9.exe
PID 408 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sr0FS20.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yK00wd9.exe
PID 408 wrote to memory of 4388 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sr0FS20.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yK00wd9.exe
PID 4388 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yK00wd9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4388 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yK00wd9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4388 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yK00wd9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4388 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yK00wd9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4388 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yK00wd9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4388 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yK00wd9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4388 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yK00wd9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4388 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yK00wd9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 408 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sr0FS20.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe
PID 408 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sr0FS20.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe
PID 408 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sr0FS20.exe C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe
PID 2164 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2164 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2164 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2164 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2164 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2164 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2164 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2164 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2164 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2164 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2164 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2164 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2164 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 860 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ek6NX36.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PH93SN.exe
PID 860 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ek6NX36.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PH93SN.exe
PID 860 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ek6NX36.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PH93SN.exe
PID 1176 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LG7lW98.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4dS034DX.exe
PID 1176 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LG7lW98.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4dS034DX.exe
PID 1176 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LG7lW98.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4dS034DX.exe
PID 2220 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4dS034DX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2220 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4dS034DX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2220 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4dS034DX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2220 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4dS034DX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2220 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4dS034DX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2220 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4dS034DX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2220 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4dS034DX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2220 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4dS034DX.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3356 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SG3AY35.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5mC4Wl2.exe
PID 3356 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SG3AY35.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5mC4Wl2.exe
PID 3356 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SG3AY35.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5mC4Wl2.exe
PID 1992 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5mC4Wl2.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 1992 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5mC4Wl2.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 1992 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5mC4Wl2.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 4632 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lU8Gt49.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6zu5RF0.exe
PID 4632 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lU8Gt49.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6zu5RF0.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4C22.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\4C22.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\b98a2ae72314e53a1dc9936278e5d5781688e343d4523b52d7659e7860672f76.exe

"C:\Users\Admin\AppData\Local\Temp\b98a2ae72314e53a1dc9936278e5d5781688e343d4523b52d7659e7860672f76.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lU8Gt49.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lU8Gt49.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SG3AY35.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SG3AY35.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LG7lW98.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LG7lW98.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ek6NX36.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ek6NX36.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sr0FS20.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sr0FS20.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yK00wd9.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yK00wd9.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PH93SN.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PH93SN.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4716 -ip 4716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4dS034DX.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4dS034DX.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5mC4Wl2.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5mC4Wl2.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6zu5RF0.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6zu5RF0.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7pK5iC66.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7pK5iC66.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\ADD4.tmp\ADD5.tmp\ADD6.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7pK5iC66.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x124,0x170,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x140,0x104,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,7100226488549161167,7149096524213436967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,1877569950297962887,17771826107555253530,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,7100226488549161167,7149096524213436967,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,1877569950297962887,17771826107555253530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x168,0x16c,0x144,0x170,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x144,0x170,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4220 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6968 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7444 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7444 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7576 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7996 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7960 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7596 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\F7BE.exe

C:\Users\Admin\AppData\Local\Temp\F7BE.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Si4SR7iQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Si4SR7iQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn6Lv6zN.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn6Lv6zN.exe

C:\Users\Admin\AppData\Local\Temp\F926.exe

C:\Users\Admin\AppData\Local\Temp\F926.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EX9zq3Ho.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EX9zq3Ho.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HQ2ER5na.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HQ2ER5na.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FA6F.bat" "

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1cJ14rw7.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1cJ14rw7.exe

C:\Users\Admin\AppData\Local\Temp\FBD8.exe

C:\Users\Admin\AppData\Local\Temp\FBD8.exe

C:\Users\Admin\AppData\Local\Temp\FCE2.exe

C:\Users\Admin\AppData\Local\Temp\FCE2.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718

C:\Users\Admin\AppData\Local\Temp\FF45.exe

C:\Users\Admin\AppData\Local\Temp\FF45.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7868 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ql467Em.exe

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ql467Em.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 6252 -ip 6252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Users\Admin\AppData\Local\Temp\243.exe

C:\Users\Admin\AppData\Local\Temp\243.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7108 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6252 -s 540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8592 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8856 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9076 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9084 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8988 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9256 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\2CFE.exe

C:\Users\Admin\AppData\Local\Temp\2CFE.exe

C:\Users\Admin\AppData\Local\Temp\3089.exe

C:\Users\Admin\AppData\Local\Temp\3089.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6732 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\3EF1.exe

C:\Users\Admin\AppData\Local\Temp\3EF1.exe

C:\Users\Admin\AppData\Local\Temp\4655.exe

C:\Users\Admin\AppData\Local\Temp\4655.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f4 0x508

C:\Users\Admin\AppData\Local\Temp\4C22.exe

C:\Users\Admin\AppData\Local\Temp\4C22.exe

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp

"C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp" /SL5="$701F8,2998240,68096,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"

C:\Users\Admin\AppData\Local\Temp\5173.exe

C:\Users\Admin\AppData\Local\Temp\5173.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "LAC1031-1"

C:\Users\Admin\AppData\Local\Temp\5859.exe

C:\Users\Admin\AppData\Local\Temp\5859.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 7728 -ip 7728

C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe

"C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe" -s

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7728 -s 768

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

"C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=10144 /prefetch:8

C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe

"C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe" -i

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ea7c8244c8" /P "Admin:N"&&CACLS "..\ea7c8244c8" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 9208 -ip 9208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 9208 -s 572

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\cacls.exe

CACLS "Utsysc.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\ea7c8244c8" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\ea7c8244c8" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\cacls.exe

CACLS "Utsysc.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\tar.exe

tar.exe -cf "C:\Users\Admin\AppData\Local\Temp\350690463354_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2348 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 157.240.247.35:443 www.facebook.com tcp
US 8.8.8.8:53 store.steampowered.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 104.85.0.101:443 store.steampowered.com tcp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 steamcommunity.com udp
US 104.244.42.1:443 twitter.com tcp
JP 23.207.106.113:443 steamcommunity.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 101.0.85.104.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 1.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 113.106.207.23.in-addr.arpa udp
US 8.8.8.8:53 www.epicgames.com udp
US 52.0.122.33:443 www.epicgames.com tcp
US 8.8.8.8:53 www.paypal.com udp
US 151.101.1.21:443 www.paypal.com tcp
US 8.8.8.8:53 33.122.0.52.in-addr.arpa udp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 92.47.239.18.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
IE 163.70.151.21:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 abs.twimg.com udp
US 8.8.8.8:53 api.twitter.com udp
US 8.8.8.8:53 pbs.twimg.com udp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 video.twimg.com udp
US 93.184.220.70:443 pbs.twimg.com tcp
US 8.8.8.8:53 t.co udp
NL 199.232.148.158:443 video.twimg.com tcp
US 104.244.42.69:443 t.co tcp
US 8.8.8.8:53 21.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 141.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 70.220.184.93.in-addr.arpa udp
US 8.8.8.8:53 158.148.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 tracking.epicgames.com udp
US 54.166.243.177:443 tracking.epicgames.com tcp
US 8.8.8.8:53 www.paypalobjects.com udp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 18.239.36.103:443 static-assets-prod.unrealengine.com tcp
US 18.239.36.103:443 static-assets-prod.unrealengine.com tcp
NL 88.221.25.169:80 apps.identrust.com tcp
US 8.8.8.8:53 i.ytimg.com udp
DE 172.217.23.214:443 i.ytimg.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 169.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 103.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 177.243.166.54.in-addr.arpa udp
US 8.8.8.8:53 169.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 214.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
IE 163.70.151.35:443 facebook.com tcp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 static.ads-twitter.com udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 171.252.72.23.in-addr.arpa udp
NL 199.232.148.157:443 static.ads-twitter.com tcp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.151.35:443 fbcdn.net tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 157.148.232.199.in-addr.arpa udp
US 8.8.8.8:53 c.paypal.com udp
US 192.55.233.1:443 tcp
US 8.8.8.8:53 www.recaptcha.net udp
NL 142.250.179.163:443 www.recaptcha.net tcp
US 192.55.233.1:443 tcp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.1.35:443 t.paypal.com tcp
US 8.8.8.8:53 163.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.1.101.151.in-addr.arpa udp
NL 142.250.179.163:443 www.recaptcha.net udp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
NL 23.72.252.169:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 b.stats.paypal.com udp
US 64.4.245.84:443 b.stats.paypal.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
NL 23.72.252.171:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 dub.stats.paypal.com udp
US 64.4.245.84:443 dub.stats.paypal.com tcp
US 8.8.8.8:53 84.245.4.64.in-addr.arpa udp
US 8.8.8.8:53 c6.paypal.com udp
FI 77.91.68.29:80 77.91.68.29 tcp
US 8.8.8.8:53 29.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 login.steampowered.com udp
JP 23.207.106.113:443 login.steampowered.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
RU 193.233.255.73:80 193.233.255.73 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
NL 194.169.175.118:80 194.169.175.118 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 118.175.169.194.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 126.24.238.8.in-addr.arpa udp
BG 171.22.28.239:42359 tcp
NL 104.85.0.101:443 store.steampowered.com tcp
US 8.8.8.8:53 239.28.22.171.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 api.twitter.com udp
US 104.244.42.66:443 api.twitter.com tcp
US 8.8.8.8:53 66.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 analytics.twitter.com udp
US 104.244.42.3:443 analytics.twitter.com tcp
JP 23.207.106.113:443 login.steampowered.com tcp
US 8.8.8.8:53 3.42.244.104.in-addr.arpa udp
DE 172.217.23.214:443 i.ytimg.com udp
US 8.8.8.8:53 api.steampowered.com udp
JP 23.207.106.113:443 api.steampowered.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.124.71:4341 tcp
US 8.8.8.8:53 71.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
NL 142.251.36.34:443 googleads.g.doubleclick.net tcp
NL 142.251.36.34:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 34.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 stim.graspalace.com udp
US 188.114.96.0:80 stim.graspalace.com tcp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 149.40.62.171:15666 tcp
US 8.8.8.8:53 171.62.40.149.in-addr.arpa udp
US 18.239.36.103:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 64.185.227.156:443 api.ipify.org tcp
IT 185.196.9.171:80 185.196.9.171 tcp
US 8.8.8.8:53 yt3.ggpht.com udp
NL 142.251.36.1:443 yt3.ggpht.com tcp
US 8.8.8.8:53 156.227.185.64.in-addr.arpa udp
US 8.8.8.8:53 171.9.196.185.in-addr.arpa udp
NL 142.251.36.1:443 yt3.ggpht.com udp
US 8.8.8.8:53 i4.ytimg.com udp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 194.49.94.11:80 194.49.94.11 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 11.94.49.194.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
NL 172.217.168.234:443 jnn-pa.googleapis.com tcp
US 8.8.8.8:53 static.doubleclick.net udp
NL 142.251.36.6:443 static.doubleclick.net tcp
NL 172.217.168.234:443 jnn-pa.googleapis.com udp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 234.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 6.36.251.142.in-addr.arpa udp
US 185.196.8.176:80 185.196.8.176 tcp
US 185.196.8.176:80 185.196.8.176 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 176.8.196.185.in-addr.arpa udp
US 8.8.8.8:53 254.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
FI 77.91.124.86:19084 tcp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com udp
US 185.196.8.176:80 185.196.8.176 tcp
US 185.196.8.176:80 185.196.8.176 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.28:80 host-host-file8.com tcp
US 8.8.8.8:53 28.26.214.95.in-addr.arpa udp
US 8.8.8.8:53 3b67c375-85c1-4ea3-894f-6578747898ae.uuid.statsexplorer.org udp
US 8.8.8.8:53 server10.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.l.google.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server10.statsexplorer.org tcp
US 74.125.128.127:19302 stun.l.google.com udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 127.128.125.74.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 51.68.143.81:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 81.143.68.51.in-addr.arpa udp
US 172.67.34.170:443 pastebin.com tcp
FR 51.15.193.130:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 server10.statsexplorer.org udp
BG 185.82.216.108:443 server10.statsexplorer.org tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 130.193.15.51.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
FI 77.91.124.86:19084 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lU8Gt49.exe

MD5 16217bcc07a561909869111c02573e54
SHA1 45787b6bbce404f9b1c7d41b66ffe4cb5d4b675a
SHA256 e57bfa5ee7f60e58bf49868c78bf4ede954b073a9fdf370f57dd8837e407f729
SHA512 7fc22878c807a5e2398d5e2b87c1272f6da0b4daf84dd0dd97ee5507ce0b077466fe7e119075f92adb0cf4601c879c90913894c02673857647bc6f52988b575c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lU8Gt49.exe

MD5 16217bcc07a561909869111c02573e54
SHA1 45787b6bbce404f9b1c7d41b66ffe4cb5d4b675a
SHA256 e57bfa5ee7f60e58bf49868c78bf4ede954b073a9fdf370f57dd8837e407f729
SHA512 7fc22878c807a5e2398d5e2b87c1272f6da0b4daf84dd0dd97ee5507ce0b077466fe7e119075f92adb0cf4601c879c90913894c02673857647bc6f52988b575c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SG3AY35.exe

MD5 e03fdc2e814ea5afb4cf2a76e314250e
SHA1 d0adf5fb43408e0b6b1a94cff001ed409dc0af94
SHA256 90b20c8b741c0d3153b7100c5386d4fbfa4ea3d2e96e666f5bdec5c3869e3ac2
SHA512 8f43dda3f775782785ef0748d95854d44481c31a9c356626d29aa61386871154e9f7ed0a3971bbfc4199cf3bd2fea7af9c47cadef60c37723b8f90777c65a794

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SG3AY35.exe

MD5 e03fdc2e814ea5afb4cf2a76e314250e
SHA1 d0adf5fb43408e0b6b1a94cff001ed409dc0af94
SHA256 90b20c8b741c0d3153b7100c5386d4fbfa4ea3d2e96e666f5bdec5c3869e3ac2
SHA512 8f43dda3f775782785ef0748d95854d44481c31a9c356626d29aa61386871154e9f7ed0a3971bbfc4199cf3bd2fea7af9c47cadef60c37723b8f90777c65a794

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LG7lW98.exe

MD5 95ca9833746fb20b980e442dd845a732
SHA1 c6b9d73302fdfad5161816961e8a7f82b94d145a
SHA256 d3b8a9b279ead2db07d9937fc30c0e2422bb422705802b04d27e0214f92d881a
SHA512 d7d3995af2db2dcff42cca925036e307a48a5b9d92cf34e49cd0f3f76a5b36baa67cbb8e0452eeffcd17125f2cafd3b6d43a9988cfd901b8882588a0c7bc226b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LG7lW98.exe

MD5 95ca9833746fb20b980e442dd845a732
SHA1 c6b9d73302fdfad5161816961e8a7f82b94d145a
SHA256 d3b8a9b279ead2db07d9937fc30c0e2422bb422705802b04d27e0214f92d881a
SHA512 d7d3995af2db2dcff42cca925036e307a48a5b9d92cf34e49cd0f3f76a5b36baa67cbb8e0452eeffcd17125f2cafd3b6d43a9988cfd901b8882588a0c7bc226b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ek6NX36.exe

MD5 3ec136d1c65555b2e40e4a2b395c3587
SHA1 b945e73a3493b873c06961b959cd757a39eba21c
SHA256 40c7db7ab42cf5092d2f33977dd852157f2f35849731707c4c745aff9ff0f605
SHA512 79f24bff9207842f31e535d6d2684da3a6ee0c95a4dee478ea91c5a9662da6b6bda635462e98ce292fe2e0ac6d2d3a05be4c09ce6b092f600412eff8bc231781

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ek6NX36.exe

MD5 3ec136d1c65555b2e40e4a2b395c3587
SHA1 b945e73a3493b873c06961b959cd757a39eba21c
SHA256 40c7db7ab42cf5092d2f33977dd852157f2f35849731707c4c745aff9ff0f605
SHA512 79f24bff9207842f31e535d6d2684da3a6ee0c95a4dee478ea91c5a9662da6b6bda635462e98ce292fe2e0ac6d2d3a05be4c09ce6b092f600412eff8bc231781

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sr0FS20.exe

MD5 a11945e746c9fa806eb18be733c964f1
SHA1 53a6221f2de3ce7934323a1c42a5af3b0aaf7b7b
SHA256 f60005a554c8c95deb3082367c2b9878c1bd0d8b4d5d46482ee2dfc3d5923916
SHA512 e5134f8fc8f488c7c2dcafe51a19ab96c3a2329ef04a1bc069fd5c141d320edfcb6e8b66a1aaab98bbf62ae0ecce12ae3916d8965f847e552d2d747d10887ec3

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sr0FS20.exe

MD5 a11945e746c9fa806eb18be733c964f1
SHA1 53a6221f2de3ce7934323a1c42a5af3b0aaf7b7b
SHA256 f60005a554c8c95deb3082367c2b9878c1bd0d8b4d5d46482ee2dfc3d5923916
SHA512 e5134f8fc8f488c7c2dcafe51a19ab96c3a2329ef04a1bc069fd5c141d320edfcb6e8b66a1aaab98bbf62ae0ecce12ae3916d8965f847e552d2d747d10887ec3

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yK00wd9.exe

MD5 89ee5623e076a055e327ed83e99751c1
SHA1 226dfc0fdc9d353024b681b37a790b0ff578e120
SHA256 e7b4b1821ee1861d02896c2e7471f88e256b27738e69e378595b72ef059bb4e7
SHA512 61b5901a02fbad039bf1c3bb874a03d8d901fd296769fe5b1eb6eee91c74e682480974cac6754046d53f2705ed2f337441b6510255f7a576f3da1fde428c512f

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yK00wd9.exe

MD5 89ee5623e076a055e327ed83e99751c1
SHA1 226dfc0fdc9d353024b681b37a790b0ff578e120
SHA256 e7b4b1821ee1861d02896c2e7471f88e256b27738e69e378595b72ef059bb4e7
SHA512 61b5901a02fbad039bf1c3bb874a03d8d901fd296769fe5b1eb6eee91c74e682480974cac6754046d53f2705ed2f337441b6510255f7a576f3da1fde428c512f

memory/8-42-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe

MD5 5c0f230733975ca9addb7fb932ba7fd8
SHA1 70332e6d8e29f8b334079fc914c6fc134453547e
SHA256 6aaadefd6b657971a15bd5a6afa20a0bc883b13d89c5109ccdd58f9bd3a14aa7
SHA512 5234959d6344c7a0026f33a7ae54c01ee085f7a4c96f1a0c29821c8d1c873d35371cc37c4d17ba99e5dcba059c3e4e7ca92782c580a0d28ffc4ed6a70b9175c0

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe

MD5 5c0f230733975ca9addb7fb932ba7fd8
SHA1 70332e6d8e29f8b334079fc914c6fc134453547e
SHA256 6aaadefd6b657971a15bd5a6afa20a0bc883b13d89c5109ccdd58f9bd3a14aa7
SHA512 5234959d6344c7a0026f33a7ae54c01ee085f7a4c96f1a0c29821c8d1c873d35371cc37c4d17ba99e5dcba059c3e4e7ca92782c580a0d28ffc4ed6a70b9175c0

memory/8-46-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/4716-49-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4716-48-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4716-51-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2504-55-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PH93SN.exe

MD5 c2011d3310cff29568d9ab20ad415505
SHA1 af86053baa717cbbca466e3bd075bb187cbc998b
SHA256 bc1b26f413355f9de48f45ce11b6f44c4300242d90853af97a4ce8a8bfd0276b
SHA512 e1bd528acec5b056c4d1678f5cfbf3cc6ad67afd8a13e816846774f31369e81a695c1fcc64909ea42516b802a8724efb207c76f2382e5768338fcd189e839e1d

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PH93SN.exe

MD5 c2011d3310cff29568d9ab20ad415505
SHA1 af86053baa717cbbca466e3bd075bb187cbc998b
SHA256 bc1b26f413355f9de48f45ce11b6f44c4300242d90853af97a4ce8a8bfd0276b
SHA512 e1bd528acec5b056c4d1678f5cfbf3cc6ad67afd8a13e816846774f31369e81a695c1fcc64909ea42516b802a8724efb207c76f2382e5768338fcd189e839e1d

memory/4716-47-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3264-56-0x00000000008B0000-0x00000000008C6000-memory.dmp

memory/2504-57-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4dS034DX.exe

MD5 a7ec035736ed03c89879b47b99e048d9
SHA1 1eb9f938f84eb95351dccbfcb065eda506458e71
SHA256 e142f2f54b96551f64ba2cbc996b366333e4a2a2e633c213536b5d9171a8e503
SHA512 83a903822cd54856052d72c3caec2e16f785af000963cbbf9cc28e590aaeeda04f33aa11afe6330e31e37380875b88dbd9107280994e8f143df12d0e4300708a

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4dS034DX.exe

MD5 a7ec035736ed03c89879b47b99e048d9
SHA1 1eb9f938f84eb95351dccbfcb065eda506458e71
SHA256 e142f2f54b96551f64ba2cbc996b366333e4a2a2e633c213536b5d9171a8e503
SHA512 83a903822cd54856052d72c3caec2e16f785af000963cbbf9cc28e590aaeeda04f33aa11afe6330e31e37380875b88dbd9107280994e8f143df12d0e4300708a

memory/4172-63-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5mC4Wl2.exe

MD5 3b9216793f818f45fb2b64fae82d85d2
SHA1 d855071385d8d11d328f2dab7ff36a8177e98428
SHA256 d09bcda65ca225ad940e9d267decbe92b58b92c0e5669aa45688153eb53c0069
SHA512 a96d001e3de99ab7f5bec80e23f0fd83daf8e7e90410b3856cb7df27038549a72feed69c0ed65c998155d8a8bb655f6c5d36afe944045f63205c99de89953a13

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5mC4Wl2.exe

MD5 3b9216793f818f45fb2b64fae82d85d2
SHA1 d855071385d8d11d328f2dab7ff36a8177e98428
SHA256 d09bcda65ca225ad940e9d267decbe92b58b92c0e5669aa45688153eb53c0069
SHA512 a96d001e3de99ab7f5bec80e23f0fd83daf8e7e90410b3856cb7df27038549a72feed69c0ed65c998155d8a8bb655f6c5d36afe944045f63205c99de89953a13

memory/4172-69-0x0000000074320000-0x0000000074AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 3b9216793f818f45fb2b64fae82d85d2
SHA1 d855071385d8d11d328f2dab7ff36a8177e98428
SHA256 d09bcda65ca225ad940e9d267decbe92b58b92c0e5669aa45688153eb53c0069
SHA512 a96d001e3de99ab7f5bec80e23f0fd83daf8e7e90410b3856cb7df27038549a72feed69c0ed65c998155d8a8bb655f6c5d36afe944045f63205c99de89953a13

memory/4172-70-0x0000000008010000-0x00000000085B4000-memory.dmp

memory/4172-71-0x0000000007B00000-0x0000000007B92000-memory.dmp

memory/4172-78-0x0000000007AC0000-0x0000000007AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 3b9216793f818f45fb2b64fae82d85d2
SHA1 d855071385d8d11d328f2dab7ff36a8177e98428
SHA256 d09bcda65ca225ad940e9d267decbe92b58b92c0e5669aa45688153eb53c0069
SHA512 a96d001e3de99ab7f5bec80e23f0fd83daf8e7e90410b3856cb7df27038549a72feed69c0ed65c998155d8a8bb655f6c5d36afe944045f63205c99de89953a13

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 3b9216793f818f45fb2b64fae82d85d2
SHA1 d855071385d8d11d328f2dab7ff36a8177e98428
SHA256 d09bcda65ca225ad940e9d267decbe92b58b92c0e5669aa45688153eb53c0069
SHA512 a96d001e3de99ab7f5bec80e23f0fd83daf8e7e90410b3856cb7df27038549a72feed69c0ed65c998155d8a8bb655f6c5d36afe944045f63205c99de89953a13

memory/4172-81-0x0000000007CD0000-0x0000000007CDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6zu5RF0.exe

MD5 55fa5083ec09549eb1e2e89ec2fa976d
SHA1 f6b25904792563e722cf9c548150b7e717e4b22e
SHA256 a37f19851febfa2d21b376acd0af82d551cf846667e901654702d0fdc40decc8
SHA512 a1a6bbcb464ec8414703aae677406832020d014e4799b791dbe3cc63b0cb806ca97882c422070674dd9a8ac81ce5ed641f2834b8811a8e16db2d767f5c279b60

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6zu5RF0.exe

MD5 55fa5083ec09549eb1e2e89ec2fa976d
SHA1 f6b25904792563e722cf9c548150b7e717e4b22e
SHA256 a37f19851febfa2d21b376acd0af82d551cf846667e901654702d0fdc40decc8
SHA512 a1a6bbcb464ec8414703aae677406832020d014e4799b791dbe3cc63b0cb806ca97882c422070674dd9a8ac81ce5ed641f2834b8811a8e16db2d767f5c279b60

memory/4172-84-0x0000000008BE0000-0x00000000091F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7pK5iC66.exe

MD5 43f3990f2aec13d27d6864ceecbfd8d2
SHA1 7f8333f46aa0e7ce185158b44b79d70ba0a0ca36
SHA256 47dc8b4029b54022d91e54594d77b92a234852304093649fd6c53d8669039090
SHA512 96aa2a4bf598f731c1b91627d06d84f41ad042e1f41c4c234a5651f19ef5adbb674cf3a8d68d43aaf62656815550c14ee975c432fea3b184e70523cd42c4d4cb

memory/4172-87-0x0000000007E70000-0x0000000007F7A000-memory.dmp

memory/4172-88-0x0000000007DA0000-0x0000000007DB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7pK5iC66.exe

MD5 43f3990f2aec13d27d6864ceecbfd8d2
SHA1 7f8333f46aa0e7ce185158b44b79d70ba0a0ca36
SHA256 47dc8b4029b54022d91e54594d77b92a234852304093649fd6c53d8669039090
SHA512 96aa2a4bf598f731c1b91627d06d84f41ad042e1f41c4c234a5651f19ef5adbb674cf3a8d68d43aaf62656815550c14ee975c432fea3b184e70523cd42c4d4cb

memory/4172-91-0x0000000007E00000-0x0000000007E3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ADD4.tmp\ADD5.tmp\ADD6.bat

MD5 0769624c4307afb42ff4d8602d7815ec
SHA1 786853c829f4967a61858c2cdf4891b669ac4df9
SHA256 7da27df04c56cf1aa11d427d9a3dff48b0d0df8c11f7090eb849abee6bfe421f
SHA512 df8e4c6e50c74f5daf89b3585a98980ac1dbacf4cce641571f8999e4263078e5d14863dae9cf64be4c987671a21ebdce3bf8e210715f68c5e383cc4d55f53106

memory/4172-93-0x0000000007F80000-0x0000000007FCC000-memory.dmp

memory/8-94-0x0000000074320000-0x0000000074AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 777424efaa0b7dc4020fed63a05319cf
SHA1 f4ff37d51b7dd7a46606762c1531644b8fbc99c7
SHA256 30d13502553b37ca0221b08f834e49be44ba9b9c2bbb032dded6e3ab3f0480d5
SHA512 7e61eab7b512ac99d2c5a5c4140bf0e27e638eb02235cd32364f0d43ee0784e2d8ac212d06a082c1dce9f61c63b507cb8feb17efffbd1954b617208740f72ad9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 777424efaa0b7dc4020fed63a05319cf
SHA1 f4ff37d51b7dd7a46606762c1531644b8fbc99c7
SHA256 30d13502553b37ca0221b08f834e49be44ba9b9c2bbb032dded6e3ab3f0480d5
SHA512 7e61eab7b512ac99d2c5a5c4140bf0e27e638eb02235cd32364f0d43ee0784e2d8ac212d06a082c1dce9f61c63b507cb8feb17efffbd1954b617208740f72ad9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

memory/8-109-0x0000000074320000-0x0000000074AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5b102b635552ec427eb990de4e60809d
SHA1 3410f20ba4fa3c7ac24e260bea7355bfc6a97490
SHA256 903da9b1f8c40c66938ee6e7d8436d044927065e8963a7af85a839ed3495d2c2
SHA512 d47b8cc7ecdc91c5be950ae284e050a8f10d7d435b7e40017e44d144f1aa245be9df748ca68b0d9bdc8b79842d7db5ce7c82aa2047ed9b80bc0665dc832ef761

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1e69e5456a4f29cbd926537e2a17c838
SHA1 e9a2267760353213fe88e10eee8fb4ad9d188363
SHA256 7dd0d536254eb64d723254638e87b723ee947a2478ac54e5d513c66b53c358df
SHA512 92bb42f19230939bab4126ff45e4c0fa939996c6567b8704ec7e27f918d19007c0a0150ef75a6f72027f7c4043b8c55582eb62f5960372553c773cc151dc8cb7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1e69e5456a4f29cbd926537e2a17c838
SHA1 e9a2267760353213fe88e10eee8fb4ad9d188363
SHA256 7dd0d536254eb64d723254638e87b723ee947a2478ac54e5d513c66b53c358df
SHA512 92bb42f19230939bab4126ff45e4c0fa939996c6567b8704ec7e27f918d19007c0a0150ef75a6f72027f7c4043b8c55582eb62f5960372553c773cc151dc8cb7

\??\pipe\LOCAL\crashpad_4828_EKRLGZOSLBATQUHR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_768_KSFLHYPHDXRKREXX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_1580_WTSACVZXEFNONFHB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 af4d69ab0e30187a0d5d7838d494dff8
SHA1 803551a7085c8a838c576ba7dad45b88c816c7b6
SHA256 244b9fc2b66f7d6a1f2b8265ab569f67cadf792e8371cecb78b1632d4655868c
SHA512 83a7f15aa7c3db9d398ead7c5e7ecc069c440109dce8f23694145da53cd1b25e81dd7869692c3f140a74aa2686a364917b72e06f384316f01f71ebe16200d2d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5b102b635552ec427eb990de4e60809d
SHA1 3410f20ba4fa3c7ac24e260bea7355bfc6a97490
SHA256 903da9b1f8c40c66938ee6e7d8436d044927065e8963a7af85a839ed3495d2c2
SHA512 d47b8cc7ecdc91c5be950ae284e050a8f10d7d435b7e40017e44d144f1aa245be9df748ca68b0d9bdc8b79842d7db5ce7c82aa2047ed9b80bc0665dc832ef761

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1e69e5456a4f29cbd926537e2a17c838
SHA1 e9a2267760353213fe88e10eee8fb4ad9d188363
SHA256 7dd0d536254eb64d723254638e87b723ee947a2478ac54e5d513c66b53c358df
SHA512 92bb42f19230939bab4126ff45e4c0fa939996c6567b8704ec7e27f918d19007c0a0150ef75a6f72027f7c4043b8c55582eb62f5960372553c773cc151dc8cb7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

memory/4172-314-0x0000000074320000-0x0000000074AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

MD5 a5c3c60ee66c5eee4d68fdcd1e70a0f8
SHA1 679c2d0f388fcf61ecc2a0d735ef304b21e428d2
SHA256 a77e911505d857000f49f47d29f28399475324bbf89c5c77066e9f9aca4dd234
SHA512 5a4f5a1e0de5e650ca4b56bfd8e6830b98272a74d75610ed6e2f828f47cdf8447fbc5d8404bcf706ca95e5833e7c255f251137855723b531d12cbc450062750a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 59f9d6873008533f713e17aa25a45639
SHA1 b1524fc1509d784901225d5bf9b04af0da6f0adf
SHA256 193b5c6c351ad4e5ac8e91e91b1d2db50e9a3e9f90237533762ce1acd35cdacb
SHA512 3e27ee91e3bb94f29581c7f683fad27119633c9e059f4a6906be69d1bc1f401457ff4508ddd12e4c8b3234621d0ab1706d854c958d6ccc6a192f3fbc343cd713

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

MD5 923a543cc619ea568f91b723d9fb1ef0
SHA1 6f4ade25559645c741d7327c6e16521e43d7e1f9
SHA256 bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd
SHA512 a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 a6056708f2b40fe06e76df601fdc666a
SHA1 542f2a7be8288e26f08f55216e0c32108486c04c
SHA256 fe8009d99826585803f561c9d7b01c95ec4a666e92fedb2c1ca6fa0f50bb7152
SHA512 e83e64d00199a51c1f17faca3012f6f28ad54e5ac48acea6509cccdd61ddb08b03c3a895776944190a4e261393b90f9f516ad64b1b0e4cdd88a66f6f691331a4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c952a14d48aa778ab66ae9780c91bbc3
SHA1 298433562f74271b1b6aa02cafe28a8c4d178d33
SHA256 e84460e6f1dfd33745aae60312b2a6c7e097159f9b213d09b5b9dbbf2b6a9506
SHA512 0b2c91d173bdb1290207734265ae6ace4e47fe34a5a8536d128e10d53380fa8a86a5bf5e4299ded06975771dd8dba6e286a92f1c35016ae737ea9814690e3b9b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a

MD5 b24045e033655badfcc5b3292df544fb
SHA1 7869c0742b4d5cd8f1341bb061ac6c8c8cf8544b
SHA256 ce60e71ab0f5a6f0a61ee048ff379b355d72cd01fda773380b4b474b4273ec6c
SHA512 0496eab064778fe47802d7f79a536022de4a89d085457ad0d092597f93e19653f750b86f5649768e18f631505ff9792c421ba3a14b9d30522d731b5cd3d8206c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 1c706d53e85fb5321a8396d197051531
SHA1 0d92aa8524fb1d47e7ee5d614e58a398c06141a4
SHA256 80c44553381f37e930f1c82a1dc2e77acd7b955ec0dc99d090d5bd6b32c3c932
SHA512 d43867392c553d4afffa45a1b87a74e819964011fb1226ee54e23a98fc63ca80e266730cec6796a2afa435b1ea28aed72c55eae1ae5d31ec778f53be3e2162fc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003d

MD5 990324ce59f0281c7b36fb9889e8887f
SHA1 35abc926cbea649385d104b1fd2963055454bf27
SHA256 67bcedd3040fc55d968bbe21df05c02b731181541aff4ae72b9205300a4a3ecc
SHA512 31e83da1ac217d25be6e7f35a041881b926f731fff69db6f144e4fe99b696a31f9ab7766ca22cf5a482743c2a2d00a699ca2c2d67837a86c471a2dd3bed9ea1f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Cy92xA.exe

MD5 df0bd13edfdcbd83f1a89516afa0e803
SHA1 d2eba6a498ee95674fa437c94da6356897a59a68
SHA256 467c6c2a1c6495d6b81eab0113ee0d088966183f29c3f27b61ed2edf06b31c24
SHA512 e6a31e609633932ac172a31a639d5ca2ca47fa0664c2e276aad97363bd71d782e4e676c4ddf4d1b5de9661e2244bf5edf1a8f3650e1edd2086dd89801ac94938

C:\Users\Admin\AppData\Local\Temp\F926.exe

MD5 e561df80d8920ae9b152ddddefd13c7c
SHA1 0d020453f62d2188f7a0e55442af5d75e16e7caf
SHA256 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea
SHA512 a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4rX028OL.exe

MD5 a7ec035736ed03c89879b47b99e048d9
SHA1 1eb9f938f84eb95351dccbfcb065eda506458e71
SHA256 e142f2f54b96551f64ba2cbc996b366333e4a2a2e633c213536b5d9171a8e503
SHA512 83a903822cd54856052d72c3caec2e16f785af000963cbbf9cc28e590aaeeda04f33aa11afe6330e31e37380875b88dbd9107280994e8f143df12d0e4300708a

C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1cJ14rw7.exe

MD5 5c0f230733975ca9addb7fb932ba7fd8
SHA1 70332e6d8e29f8b334079fc914c6fc134453547e
SHA256 6aaadefd6b657971a15bd5a6afa20a0bc883b13d89c5109ccdd58f9bd3a14aa7
SHA512 5234959d6344c7a0026f33a7ae54c01ee085f7a4c96f1a0c29821c8d1c873d35371cc37c4d17ba99e5dcba059c3e4e7ca92782c580a0d28ffc4ed6a70b9175c0

memory/5132-640-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/5132-642-0x0000000007020000-0x0000000007030000-memory.dmp

memory/6976-644-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

memory/6976-645-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/6252-652-0x0000000000400000-0x0000000000434000-memory.dmp

memory/6252-653-0x0000000000400000-0x0000000000434000-memory.dmp

memory/6252-655-0x0000000000400000-0x0000000000434000-memory.dmp

memory/6552-660-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/6552-659-0x0000000000CD0000-0x0000000000D0E000-memory.dmp

memory/6552-663-0x0000000007C50000-0x0000000007C60000-memory.dmp

memory/6320-674-0x0000000000400000-0x0000000000480000-memory.dmp

memory/6320-676-0x0000000000550000-0x00000000005AA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1d0e573b239394772816eb2d839ac516
SHA1 d7562e74e9cb74fbd88b85682a753249de96596d
SHA256 a8394c21101e2c1c97ba445c8493f5513bf92c62c1abc957074e38ab34e94086
SHA512 d0b35009ad8ddbae796905c3512a950544df8bd6950c1a6b11c2d7b41482aad15ea3de9fae60a931e6f885ee920ea056ecd3d3cc7894590ae0042fdfca51b6a2

memory/6320-702-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/6320-724-0x0000000007630000-0x0000000007640000-memory.dmp

memory/5132-734-0x0000000074320000-0x0000000074AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

MD5 9ee8d611a9369b4a54ca085c0439120c
SHA1 74ac1126b6d7927ec555c5b4dc624f57d17df7bb
SHA256 e4cf7a17182adf614419d07a906cacf03b413bc51a98aacbcfc8b8da47f8581c
SHA512 926c00967129494292e3bf9f35dbcdef8efdbddc66114d7104fcc61aa6866298ad0182c0cbdf923b694f25bb9e18020e674fd1367df236a2c6506b859641c041

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000048

MD5 2d64caa5ecbf5e42cbb766ca4d85e90e
SHA1 147420abceb4a7fd7e486dddcfe68cda7ebb3a18
SHA256 045b433f94502cfa873a39e72d616c73ec1b4c567b7ee0f847f442651683791f
SHA512 c96556ec57dac504919e806c7df536c4f86892b8525739289b2f2dbbf475de883a4824069dbdd4bb1770dd484f321563a00892e6c79d48818a4b95406bf1af96

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000047

MD5 57613e143ff3dae10f282e84a066de28
SHA1 88756cc8c6db645b5f20aa17b14feefb4411c25f
SHA256 19b8db163bcc51732457efa40911b4a422f297ff3cd566467d87eab93cef0c14
SHA512 94f045e71b9276944609ca69fc4b8704e4447f9b0fc2b80789cc012235895c50ef9ecb781a3ed901a0c989bed26caa37d4d4a9baffcce2cb19606dbb16a17176

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000046

MD5 ce6bda6643b662a41b9fb570bdf72f83
SHA1 87bcf1d2820b476aaeaea91dc7f6dbedd73c1cb8
SHA256 0adf4d5edbc82d28879fdfaaf7274ba05162ff8cbbda816d69ed52f1dae547f6
SHA512 8023da9f9619d34d4e5f7c819a96356485f73fddcb8adb452f3ceefa8c969c16ca78a8c8d02d8e7a213eb9c5bbe5c50745ba7602e0ee2fe36d2742fb3e979c86

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000049

MD5 4f7c668ae0988bf759b831769bfd0335
SHA1 280a11e29d10bb78d6a5b4a1f512bf3c05836e34
SHA256 32d4c8dc451e11db315d047306feea0376fbdc3a77c0ab8f5a8ab154164734d1
SHA512 af959fe2a7d5f186bd79a6b1d02c69f058ecd52e60ebd0effa7f23b665a41500732ffa50a6e468a5253bb58644251586ae38ec53e21eab9140f1cf5fd291f6a5

memory/6320-787-0x0000000008150000-0x00000000081B6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003b

MD5 48b805d8fa321668db4ce8dfd96db5b9
SHA1 e0ded2606559c8100ef544c1f1c704e878a29b92
SHA256 9a75f8cc40bbe9c9499e7b2d3bab98a447685a361489357a111479517005c954
SHA512 95da761ca3f99f7808a0148cfa2416b8c03d90859bff65b396061ada5a4394fb50e2a4b82986caab07bc1fcd73980fe9b08e804b3ce897762a17d2e44935076d

memory/5132-820-0x0000000007020000-0x0000000007030000-memory.dmp

memory/6976-864-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/6320-906-0x0000000009770000-0x00000000097C0000-memory.dmp

memory/6320-907-0x00000000097C0000-0x0000000009836000-memory.dmp

memory/6976-934-0x0000000074320000-0x0000000074AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8601192c9ca6b8aa02c3560ee8d29260
SHA1 a0561dd2deb0b52c434fd8968ae6fff8c5dd4e6c
SHA256 4ceb159907bb3828003c64a6c96116ccb05a164b67110cf2b50cb9f958d7ab44
SHA512 3d09846afbe76b82a69d4fe7697da2a618285af9338ba0f26c75bd2b78f1dbb7827eaad693e5ee3320e1fb30874cfc38978cae6e87307710ac31dca6b92205af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582882.TMP

MD5 cbfc646a931e689edfc625500e2e0492
SHA1 f31a101a614f0ccbdbe6b20afaaa5208f5fd0d2d
SHA256 b8ca9d51d8aabab035057c8663855dcdc9785c1cc65f47888cdf55bd4cc586fb
SHA512 7779605bdd7177e195a57491cadd284fc62cfb7e3ce9aa51c6415805a161ab854a6a24b387b08f120271007a65cfa1f87601f18386c9e5c2e0c8c34b1bf0dc56

memory/6552-981-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/7480-987-0x0000000000690000-0x0000000001074000-memory.dmp

memory/6552-986-0x0000000007C50000-0x0000000007C60000-memory.dmp

memory/7480-988-0x0000000074320000-0x0000000074AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 6e68805f0661dbeb776db896761d469f
SHA1 95e550b2f54e9167ae02f67e963703c593833845
SHA256 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47
SHA512 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc

memory/6320-996-0x0000000009970000-0x0000000009B32000-memory.dmp

memory/6320-999-0x0000000009B40000-0x000000000A06C000-memory.dmp

memory/6320-1004-0x0000000000400000-0x0000000000480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 89c82822be2e2bf37b5d80d575ef2ec8
SHA1 9fe2fad2faff04ad5e8d035b98676dedd5817eca
SHA256 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9
SHA512 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101

memory/6320-1007-0x000000000A340000-0x000000000A35E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/7220-1026-0x00000000002E0000-0x00000000002E8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f1b766b451585f422141ae9d4ca58876
SHA1 50051cc62e01ffba580e73b0a1a3338f9af3576f
SHA256 7a46c33c6bfc46a8b8e23d3ba2906307b7dde20e287f6911f51df6335deb1df9
SHA512 c4fdd53741060c453d793a8fc982d63f656c5e2ea0c656d0e499bf37d402eb879e6d8ec937232962a96eaa4186d7ef190fc9b45880e5fbe9b8224c73d231ca18

memory/6320-1031-0x0000000074320000-0x0000000074AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/7220-1053-0x00007FFC99AE0000-0x00007FFC9A5A1000-memory.dmp

memory/6320-1055-0x0000000007630000-0x0000000007640000-memory.dmp

memory/7480-1054-0x0000000074320000-0x0000000074AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 ce389db6262e500cb983acad6e33343d
SHA1 6e5a42b82263e0600834a1ebe37ac49286cdd9dc
SHA256 6cf93516be13ff01dc2aa691f7d32e4d1aa1db7bf69a0960c3c69c3716ff4863
SHA512 fff5e238c2d5fe0d77164f5c4b1eca284d35ff46dc4e4d28afb591bbc5e55ddf36347e27633269a83484c1c0f50784b8113a14a8f78e42d1de0d6127eebf2918

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 1a3f13fac6b639aa38952ff49ea57798
SHA1 0f69ead74745f26cca6f8e09d1b6773445bb90d8
SHA256 68cbd0daba8eebe22851ab53a81cbec050dee65d169dac72e63b6a5da4c47c68
SHA512 426709ca4a8372d1e3fea70fea1069c04734e738d0e9c764d65d921353424b4a9680a21df71986ef1f896503815d083f003b3cc1beb301b6bfc78819d3bd1c12

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 57db2915b37c389b008fe05c61bf8a0b
SHA1 7a96f5f789a5ef9b518b9475931ea4658e67fbb4
SHA256 2fc648028779ad72ed3c557eaaacd0da519d4915898b9f1450b98ff94e2b2761
SHA512 64dcb1adbe0f10da29fb5fc2db5bfecb60deb8debf54b2a19249855f9909999c5e2318678e211a0be1698765cd2d2bea10841ee2ebe1ad89f3d27aff027f9fc3

memory/3968-1082-0x0000000000A90000-0x0000000000E70000-memory.dmp

memory/3968-1083-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/3968-1084-0x00000000056A0000-0x000000000573C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 7e9a2a52576c56760174d96326844bf6
SHA1 a1a7e537901f00f8e5eb1757043032d533398d8a
SHA256 e04c9a1f1b4610ecb894769f13f50f2c62049dd8e90d7b3f3bc6a28d3d21bd4a
SHA512 9b3da96429fb67a28b3c3f9924e485c4fd2acb2bcbfcd45efbb19f4987ce8950874514c055e46e0d440d8316d401f626dc774c70b0e04e56d98e46dd6ce62a64

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 4eb84b1696f68db1c2803854add96fc3
SHA1 d9925a70754e5169187e4dc144da0c7b2a6fc7ec
SHA256 caff575a273c7ea112fa9c6a5087e6e9d730262110942c5fda16c08ceb9f3c78
SHA512 719adbeade0f2279279fa068a28bb5e089f4b6da5900b131e507b753134318d14498d2956352568c4d4dd1c1d406c0ede781d303185ec48e66d490d76ff8f427

memory/8068-1134-0x0000000000400000-0x0000000000418000-memory.dmp

memory/7220-1136-0x00007FFC99AE0000-0x00007FFC9A5A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

MD5 9f1c899a371951195b4dedabf8fc4588
SHA1 7abeeee04287a2633f5d2fa32d09c4c12e76051b
SHA256 ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7
SHA512 86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54

memory/7728-1148-0x0000000000540000-0x000000000057E000-memory.dmp

memory/7872-1173-0x0000000000610000-0x0000000000611000-memory.dmp

memory/7728-1147-0x0000000000400000-0x0000000000461000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000037

MD5 bceb0378c3089b39ab86bdea6cd0ca3b
SHA1 f0eff49f445b4186e8f3c45e0111d91655f00e6b
SHA256 70ec4829127eb434e7391065ebe48b74ea072cfa4a27b7267369422a0de459d7
SHA512 64e8be49fac5a4857769e4ec0fac28f31d10075b58c86039bb6b6d2e9b4ddd1c4c7a3385717e450d8c19ceef3ce323b6c5ed1f4f6cdbb61ace01a61f102f76a9

memory/7728-1226-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/4656-1231-0x0000000000400000-0x0000000000409000-memory.dmp

memory/8196-1232-0x0000000000400000-0x0000000000611000-memory.dmp

memory/8196-1233-0x0000000000400000-0x0000000000611000-memory.dmp

memory/6800-1247-0x0000000004D50000-0x0000000004D60000-memory.dmp

memory/1312-1248-0x0000000002990000-0x0000000002D98000-memory.dmp

memory/8196-1238-0x0000000000400000-0x0000000000611000-memory.dmp

memory/1312-1249-0x0000000002EA0000-0x000000000378B000-memory.dmp

memory/6800-1237-0x0000000074320000-0x0000000074AD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe

MD5 b6d627dcf04d04889b1f01a14ec12405
SHA1 f7292c3d6f2003947cc5455b41df5f8fbd14df14
SHA256 9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf
SHA512 1eef46fcb568049edad6a6dac0ce6532185f15d2b4f9939853226a4f24e0732f637951c98f580efdb98ef396d3f4d9846bccffa22c0309b455432c98292af937

memory/3968-1258-0x0000000074320000-0x0000000074AD0000-memory.dmp

memory/4656-1218-0x0000000000400000-0x0000000000409000-memory.dmp

memory/6800-1217-0x00000000003C0000-0x00000000003DE000-memory.dmp

memory/7964-1215-0x00000000022D0000-0x00000000022D9000-memory.dmp

memory/7964-1187-0x00000000007D0000-0x00000000008D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

MD5 16d0a8bcbd4c95dd1a301f5477baf331
SHA1 fc87546d0b2729d0120ce7bb53884d0f03651765
SHA256 70c40438ca2493e0bb5717ebcaf4c8f3cb670761463c3d8dd84646ee65e5cd3f
SHA512 b554386babd36aae3e7dc6b2926e42176c21cafcf4406e4f71b94bd6bc1c3cc26dba0c4f5a1af3c94e2b623b3c783101f5a28f9dee35468ed217aa36496e275c

memory/7728-1289-0x0000000002540000-0x00000000025A1000-memory.dmp

memory/4656-1293-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3264-1291-0x0000000000900000-0x0000000000916000-memory.dmp

memory/9208-1365-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 cd016ae9db3a415ff3d72f36f5bf397b
SHA1 65fa822dab9a4f41f5b001bf2d11630a52f87e29
SHA256 0c18d310ad130a3495d9293b49c68f9d564766f9f2fd0d5d42a69cbd8d0538d6
SHA512 c23381e571515019bf0d8755bdafdcddda94f5927f03605d0bde646ab9a5952ef6ee811b01fe02774d526fa6445a378c60ca8d827f32541f30b533d62ee96dfa

memory/9208-1423-0x0000000000400000-0x000000000041B000-memory.dmp

memory/9208-1434-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 4f13685ac4b60911312a3097671a49a0
SHA1 18f0be26a460a19c4fa3a4ddb9f93992aabdfbc0
SHA256 0afafc15a5158316c6b2ca107d4232e9d5210ed5ef6136e00bfb6239e25494e6
SHA512 e82f7f6df749e1cce65be24972d9101359bcba630595a8584cd5e24e26f2233296cad85e40b9157915d65d0e0acdc7985fff7c14c84314a57b8d1d28fe37212e

C:\Users\Admin\AppData\Local\Temp\350690463354

MD5 15ba0aa16369bedd74d597375ed378f2
SHA1 b05b17666a0b52305898bec6d22e20086b8739b7
SHA256 e5999e4445a4c5e07da62de5df71de8882cd38faddbb84822626682d7731034c
SHA512 7416b0aeaa6d0622075b6119239232a32fa710f55d5ad94827b40cbc4094c2d6d668dfaca27e5fb0d5cc649429130c95fef89ae73b7fab8eab6c0712c01f95eb

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_feyf3jyn.w3b.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll

MD5 1c27631e70908879e1a5a8f3686e0d46
SHA1 31da82b122b08bb2b1e6d0c904993d6d599dc93a
SHA256 478aa272d465eaa49c2f12fc141af2c0581f569ccf67f628747d90cc03a1e6a9
SHA512 7230ccad5e910f4f1aafb26642670c227a5d6e30f9c3de9a111e9c471651e54e352c56f34093667e6a51e78d01f3271c5e9d3248de5e1e82ae0e5d2aaea977dd

C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll

MD5 ceffd8c6661b875b67ca5e4540950d8b
SHA1 91b53b79c98f22d0b8e204e11671d78efca48682
SHA256 da0bf5520986c2fb92fa9658ee2fcbb07ee531e09f901f299722c0d14e994ed2
SHA512 6f78e3479c7b80cee0c2cea33a5b3e06c65b3e85a558f2df4b72211f714b81a2549daed0bc7ffe1456867b447ede9caeec73a6c4d2b345aad664d501212d07d4

C:\Users\Admin\AppData\Local\Temp\tmp8F0C.tmp

MD5 aeb9754f2b16a25ed0bd9742f00cddf5
SHA1 ef96e9173c3f742c4efbc3d77605b85470115e65
SHA256 df20bc98e43d13f417cd68d31d7550a1febdeaf335230b8a6a91669d3e69d005
SHA512 725662143a3ef985f28e43cc2775e798c8420a6d115fb9506fdfcc283fc67054149e22c6bc0470d1627426c9a33c7174cefd8dc9756bf2f5fc37734d5fcecc75

C:\Users\Admin\AppData\Local\Temp\tmp8EC8.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp8F6D.tmp

MD5 268f2938c85ad571fdff284e878c515d
SHA1 5431a2384d8455d7acf00762da81c54f4c816302
SHA256 d99fdec40dd3f55aff8c7dce3f944edb1dbec90ee040f681c6c17b6ebc0d6bcd
SHA512 303d2cd1df0cd917980bea9886ae1cf8aed4703b8f045a705b27130f6ea458222ed13f2da0b4c2da19fff45ce71319471c7863d16c10be232800182b83871a92

C:\Users\Admin\AppData\Local\Temp\tmp8F67.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp902A.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp90B3.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f08c8ecacc77ebaf641be19fda53a30b
SHA1 d40dec8752eead950e573f7e1eb73c0668c70f0c
SHA256 7dfdfee75881f4a52bd2a7ff910729988ac5f1fd2d54d1cd91e6ff48af164bc6
SHA512 fe57528ec52add8c49b39322fdc8acd1614bbb76d4a92ff4f9571e7b7a147b9624fbdb85a78c436c4e7e3e640a4d735365b28ff0ed7940ff9403e86ec1f020d0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 bec4ffca2df4debcbaa6978458684556
SHA1 cb8ecdc5ed8485b972e942cd2aa26f560abe4cf6
SHA256 b699955e6a0b1720155533aae70c7de4497a9f376ccc425acd28df8e70e002c6
SHA512 6cf72b2ca7009a9f7d56ea34c85c56ea38ec14e7610931f09647ed79a69b93d018450469e765051dc21800e91b068a33aeb79e9a3bfabf6e5f307820f0a98eb3

memory/1984-1860-0x00007FF7DCFE0000-0x00007FF7DD581000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d5993de453cea3a1e1ccb4d64edb7742
SHA1 7487c59465d1749c02bc402e376c686abd26b606
SHA256 78dfab1bc723d2fb5122d07c10521f90fde8472f6b0e2c3cc48c0052a6ce42b5
SHA512 bd5b66a5127a9b82b25e0b522356dd06bffea286785300bc0b73f3f18914823987769615f2d2b7e740df6a0cf235d4b6df5d752d9c5a78a9b8ff7b4d8f159a4d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1cffc2103155d513604aa964d3ded95c
SHA1 e1294b1e18fa3e008bec4f6f0de7860b83b6d4ad
SHA256 476535087715af0ed6fff3b51fd664922746a0cdf08ac9bb22d1ed477d9928b2
SHA512 2e8fe8f88c74092b35db8bb1fa18c9b7947ff4b8d6cb9f955dccbb3147ac1d66c73b4c8d146af5a2cbd22651be8647774981ad48e904c10c0309990abb82be33

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 167580fa582d0e774fbc038fc4518574
SHA1 e600519001279883c0eab5534468db23fd89cd1e
SHA256 2a63748cda395829f65fd86f33429b31432d9f628746b50ba2a997eb547a3d21
SHA512 55d18102501cbd61dee4675b082daf9322117fe46b157e54d5d94f32201e38af26227c8dba65dcc38f56f8db744febb9f09a2f2f27306debb42bcf00000d58c0

memory/1312-1935-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/8324-1974-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 98f89ce8e025361f38399da3f5fc5eef
SHA1 22887111e7703335be6cdd4d9be6501218127bed
SHA256 5b7263d3a9a3bafbb22ba433cfb2a89012404d2e7dff67d43c093d2b8b960c14
SHA512 9268c0e25b0e2a7075a87234629a7223682ae3214033aea34b85e04d425583b411031f625edc5204fc0efbac22c199b465b4cc77a3e8d28f4c41950701e44001

memory/5500-2114-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/6588-2185-0x00007FF70DBE0000-0x00007FF70E181000-memory.dmp

memory/7772-2186-0x00000000019E0000-0x0000000001A00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\350690463354

MD5 88972fd1ad4882838724c300fe094315
SHA1 85c4809de9e40e16db0101bfe1bdeb5248d10e5b
SHA256 efc96b8a9aff8b543b5bbf1154631df12e4693c6a96296a296e95ed6db8b7da6
SHA512 d47e380c1ee72a2d140c1f1351eff1696a160da11287667bee697d4479019be6a406341c4aea75241920e286e9757157cea23a290d41ce754d3e9f656a1b8e20