Malware Analysis Report

2025-01-02 03:50

Sample ID 231211-najqlsdabq
Target 4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685
SHA256 4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685
Tags
dcrat djvu privateloader risepro smokeloader zgrat pub1 backdoor paypal collection discovery evasion infostealer loader persistence phishing ransomware rat spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685

Threat Level: Known bad

The file 4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685 was found to be: Known bad.

Malicious Activity Summary

dcrat djvu privateloader risepro smokeloader zgrat pub1 backdoor paypal collection discovery evasion infostealer loader persistence phishing ransomware rat spyware stealer themida trojan

RisePro

Djvu Ransomware

SmokeLoader

PrivateLoader

Detect ZGRat V1

DcRat

Detected Djvu ransomware

ZGRat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Reads user/profile data of local email clients

Checks computer location settings

Executes dropped EXE

Checks BIOS information in registry

Modifies file permissions

Drops startup file

Deletes itself

Themida packer

.NET Reactor proctector

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Checks installed software on the system

Adds Run key to start application

Checks whether UAC is enabled

AutoIT Executable

Suspicious use of SetThreadContext

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Detected potential entity reuse from brand paypal.

Unsigned PE

Enumerates physical storage devices

Program crash

Checks processor information in registry

outlook_win_path

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 11:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 11:11

Reported

2023-12-11 11:14

Platform

win10v2004-20231130-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\34a4529c-05be-470b-961a-f50bbbc79781\\FDBC.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\FDBC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

PrivateLoader

loader privateloader

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\B9CC.exe N/A

Downloads MZ/PE file

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\B9CC.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\B9CC.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FDBC.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wv74ig1.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wv74ig1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wv74ig1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wv74ig1.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JH3Pl60.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wv74ig1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\34a4529c-05be-470b-961a-f50bbbc79781\\FDBC.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\FDBC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8155.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\B9CC.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.2ip.ua N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Detected potential entity reuse from brand paypal.

phishing paypal

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wv74ig1.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wv74ig1.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wv74ig1.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wv74ig1.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B9CC.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iK118kK.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\A74C.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\A74C.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\A74C.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iK118kK.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iK118kK.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wv74ig1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wv74ig1.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A6F.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A6F.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8781.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\AceFlags\edkxlv\ContextProperties.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\AceFlags\edkxlv\ContextProperties.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\qczafk.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6vU0Xm9.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6vU0Xm9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6vU0Xm9.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6vU0Xm9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6vU0Xm9.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6vU0Xm9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6vU0Xm9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6vU0Xm9.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6vU0Xm9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6vU0Xm9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685.exe C:\Users\Admin\AppData\Local\Temp\4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685.exe
PID 1232 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685.exe C:\Users\Admin\AppData\Local\Temp\4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685.exe
PID 1232 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685.exe C:\Users\Admin\AppData\Local\Temp\4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685.exe
PID 1232 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685.exe C:\Users\Admin\AppData\Local\Temp\4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685.exe
PID 1232 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685.exe C:\Users\Admin\AppData\Local\Temp\4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685.exe
PID 1232 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685.exe C:\Users\Admin\AppData\Local\Temp\4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685.exe
PID 3340 wrote to memory of 4424 N/A N/A C:\Users\Admin\AppData\Local\Temp\A74C.exe
PID 3340 wrote to memory of 4424 N/A N/A C:\Users\Admin\AppData\Local\Temp\A74C.exe
PID 3340 wrote to memory of 4424 N/A N/A C:\Users\Admin\AppData\Local\Temp\A74C.exe
PID 4424 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\A74C.exe C:\Users\Admin\AppData\Local\Temp\A74C.exe
PID 4424 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\A74C.exe C:\Users\Admin\AppData\Local\Temp\A74C.exe
PID 4424 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\A74C.exe C:\Users\Admin\AppData\Local\Temp\A74C.exe
PID 4424 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\A74C.exe C:\Users\Admin\AppData\Local\Temp\A74C.exe
PID 4424 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\A74C.exe C:\Users\Admin\AppData\Local\Temp\A74C.exe
PID 4424 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\A74C.exe C:\Users\Admin\AppData\Local\Temp\A74C.exe
PID 3340 wrote to memory of 3460 N/A N/A C:\Windows\system32\cmd.exe
PID 3340 wrote to memory of 3460 N/A N/A C:\Windows\system32\cmd.exe
PID 3460 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3460 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3340 wrote to memory of 540 N/A N/A C:\Users\Admin\AppData\Local\Temp\B9CC.exe
PID 3340 wrote to memory of 540 N/A N/A C:\Users\Admin\AppData\Local\Temp\B9CC.exe
PID 3340 wrote to memory of 540 N/A N/A C:\Users\Admin\AppData\Local\Temp\B9CC.exe
PID 3340 wrote to memory of 3064 N/A N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 3340 wrote to memory of 3064 N/A N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 3340 wrote to memory of 3064 N/A N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 3064 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 3064 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 3064 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 3064 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 3064 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 3064 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 3064 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 3064 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 3064 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 3064 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 3420 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Windows\SysWOW64\icacls.exe
PID 3420 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Windows\SysWOW64\icacls.exe
PID 3420 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Windows\SysWOW64\icacls.exe
PID 3420 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 3420 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 3420 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 1192 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 1192 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 1192 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 1192 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 1192 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 1192 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 1192 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 1192 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 1192 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 1192 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\FDBC.exe C:\Users\Admin\AppData\Local\Temp\FDBC.exe
PID 3340 wrote to memory of 3456 N/A N/A C:\Users\Admin\AppData\Local\Temp\A6F.exe
PID 3340 wrote to memory of 3456 N/A N/A C:\Users\Admin\AppData\Local\Temp\A6F.exe
PID 3456 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\A6F.exe C:\Users\Admin\AppData\Local\Temp\A6F.exe
PID 3456 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\A6F.exe C:\Users\Admin\AppData\Local\Temp\A6F.exe
PID 3456 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\A6F.exe C:\Users\Admin\AppData\Local\Temp\A6F.exe
PID 3456 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\A6F.exe C:\Users\Admin\AppData\Local\Temp\A6F.exe
PID 3456 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\A6F.exe C:\Users\Admin\AppData\Local\Temp\A6F.exe
PID 3456 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\A6F.exe C:\Users\Admin\AppData\Local\Temp\A6F.exe
PID 3340 wrote to memory of 1524 N/A N/A C:\Users\Admin\AppData\Local\Temp\8155.exe
PID 3340 wrote to memory of 1524 N/A N/A C:\Users\Admin\AppData\Local\Temp\8155.exe
PID 3340 wrote to memory of 1524 N/A N/A C:\Users\Admin\AppData\Local\Temp\8155.exe
PID 1524 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\8155.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JH3Pl60.exe
PID 1524 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\8155.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JH3Pl60.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wv74ig1.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wv74ig1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685.exe

"C:\Users\Admin\AppData\Local\Temp\4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685.exe"

C:\Users\Admin\AppData\Local\Temp\4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685.exe

"C:\Users\Admin\AppData\Local\Temp\4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 2180 -ip 2180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 332

C:\Users\Admin\AppData\Local\Temp\A74C.exe

C:\Users\Admin\AppData\Local\Temp\A74C.exe

C:\Users\Admin\AppData\Local\Temp\A74C.exe

C:\Users\Admin\AppData\Local\Temp\A74C.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A8F3.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\B9CC.exe

C:\Users\Admin\AppData\Local\Temp\B9CC.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3560 -s 328

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3560 -ip 3560

C:\Users\Admin\AppData\Local\Temp\FDBC.exe

C:\Users\Admin\AppData\Local\Temp\FDBC.exe

C:\Users\Admin\AppData\Local\Temp\FDBC.exe

C:\Users\Admin\AppData\Local\Temp\FDBC.exe

C:\Users\Admin\AppData\Local\Temp\FDBC.exe

"C:\Users\Admin\AppData\Local\Temp\FDBC.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\34a4529c-05be-470b-961a-f50bbbc79781" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\FDBC.exe

"C:\Users\Admin\AppData\Local\Temp\FDBC.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1124 -ip 1124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 568

C:\Users\Admin\AppData\Local\Temp\A6F.exe

C:\Users\Admin\AppData\Local\Temp\A6F.exe

C:\Users\Admin\AppData\Local\Temp\A6F.exe

C:\Users\Admin\AppData\Local\Temp\A6F.exe

C:\Users\Admin\AppData\Local\Temp\8155.exe

C:\Users\Admin\AppData\Local\Temp\8155.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JH3Pl60.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JH3Pl60.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wv74ig1.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wv74ig1.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Users\Admin\AppData\Local\Temp\8781.exe

C:\Users\Admin\AppData\Local\Temp\8781.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3756 -ip 3756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 1712

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iK118kK.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iK118kK.exe

C:\Users\Admin\AppData\Local\AceFlags\edkxlv\ContextProperties.exe

C:\Users\Admin\AppData\Local\AceFlags\edkxlv\ContextProperties.exe

C:\Users\Admin\AppData\Local\AceFlags\edkxlv\ContextProperties.exe

C:\Users\Admin\AppData\Local\AceFlags\edkxlv\ContextProperties.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6vU0Xm9.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6vU0Xm9.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffa296346f8,0x7ffa29634708,0x7ffa29634718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa296346f8,0x7ffa29634708,0x7ffa29634718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa296346f8,0x7ffa29634708,0x7ffa29634718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa296346f8,0x7ffa29634708,0x7ffa29634718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa296346f8,0x7ffa29634708,0x7ffa29634718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa296346f8,0x7ffa29634708,0x7ffa29634718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,12436137954349323869,14032988634349145508,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,12436137954349323869,14032988634349145508,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa296346f8,0x7ffa29634708,0x7ffa29634718

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,11032275970353474552,15824898190126634926,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,15123579037551721357,1801539959250158146,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x180,0x184,0x188,0x15c,0x18c,0x7ffa296346f8,0x7ffa29634708,0x7ffa29634718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,8195163209347415101,9619130004733366794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa296346f8,0x7ffa29634708,0x7ffa29634718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffa296346f8,0x7ffa29634708,0x7ffa29634718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5060 -ip 5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7268 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7236 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1528

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7640 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7640 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6912 /prefetch:1

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\E65.exe

C:\Users\Admin\AppData\Local\Temp\E65.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6436 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9714396534977351590,335874050732257697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\qczafk.exe

C:\Users\Admin\AppData\Local\Temp\qczafk.exe

C:\Users\Admin\AppData\Local\Temp\qczafk.exe

C:\Users\Admin\AppData\Local\Temp\qczafk.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 100 -ip 100

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 100 -s 2212

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 24.52.193.212.in-addr.arpa udp
US 8.8.8.8:53 galandskiyher5.com udp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 8.8.8.8:53 edarululoom.com udp
US 188.114.97.2:443 edarululoom.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 38.47.221.193:34368 tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 8.8.8.8:53 brusuax.com udp
IR 2.180.10.7:80 brusuax.com tcp
US 8.8.8.8:53 7.10.180.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 38.47.221.193:34368 tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 185.196.8.238:80 185.196.8.238 tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 8.8.8.8:53 238.8.196.185.in-addr.arpa udp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
RU 212.193.52.24:80 galandskiyher5.com tcp
BG 91.92.243.247:80 tcp
US 38.47.221.193:34368 tcp
US 38.47.221.193:34368 tcp
US 38.47.221.193:34368 tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 109.107.182.45:80 109.107.182.45 tcp
US 8.8.8.8:53 45.182.107.109.in-addr.arpa udp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 193.233.132.51:50500 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 genesiscarat.com udp
RU 92.118.112.94:443 genesiscarat.com tcp
US 8.8.8.8:53 94.112.118.92.in-addr.arpa udp
US 38.47.221.193:34368 tcp
US 8.8.8.8:53 host-host-file8.com udp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 51.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
RU 213.21.220.222:8080 tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 222.220.21.213.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 38.47.221.193:34368 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 steamcommunity.com udp
BE 64.233.166.84:443 accounts.google.com tcp
IE 163.70.151.35:443 www.facebook.com tcp
GB 104.103.202.103:443 steamcommunity.com tcp
US 8.8.8.8:53 www.epicgames.com udp
US 52.206.110.145:443 www.epicgames.com tcp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 store.steampowered.com udp
US 104.244.42.1:443 twitter.com tcp
US 8.8.8.8:53 www.paypal.com udp
US 92.123.241.50:443 store.steampowered.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 151.101.1.21:443 www.paypal.com tcp
BE 64.233.166.84:443 accounts.google.com udp
GB 172.217.169.46:443 www.youtube.com tcp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 84.166.233.64.in-addr.arpa udp
US 8.8.8.8:53 103.202.103.104.in-addr.arpa udp
US 8.8.8.8:53 1.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 145.110.206.52.in-addr.arpa udp
US 8.8.8.8:53 50.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
US 38.47.221.193:34368 tcp
US 8.8.8.8:53 22.10.230.54.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
FR 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 68.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 tracking.epicgames.com udp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 8.8.8.8:53 www.paypalobjects.com udp
GB 172.217.169.46:443 www.youtube.com udp
US 8.8.8.8:53 i.ytimg.com udp
GB 13.224.81.102:443 static-assets-prod.unrealengine.com tcp
GB 13.224.81.102:443 static-assets-prod.unrealengine.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 52.203.30.102:443 tracking.epicgames.com tcp
GB 172.217.16.246:443 i.ytimg.com tcp
US 38.47.221.193:34368 tcp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 102.81.224.13.in-addr.arpa udp
US 8.8.8.8:53 246.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 102.30.203.52.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
US 8.8.8.8:53 abs.twimg.com udp
US 8.8.8.8:53 api.twitter.com udp
US 8.8.8.8:53 api.x.com udp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
US 104.18.37.14:443 api.x.com tcp
US 104.244.42.130:443 api.twitter.com tcp
US 8.8.8.8:53 pbs.twimg.com udp
US 199.232.168.159:443 abs.twimg.com tcp
US 199.232.168.159:443 abs.twimg.com tcp
US 199.232.168.159:443 abs.twimg.com tcp
US 199.232.168.159:443 abs.twimg.com tcp
US 8.8.8.8:53 t.co udp
US 8.8.8.8:53 video.twimg.com udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 68.232.34.217:443 video.twimg.com tcp
US 104.244.42.197:443 t.co tcp
US 8.8.8.8:53 static.ads-twitter.com udp
US 8.8.8.8:53 220.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 159.168.232.199.in-addr.arpa udp
US 8.8.8.8:53 217.34.232.68.in-addr.arpa udp
US 8.8.8.8:53 197.42.244.104.in-addr.arpa udp
US 199.232.168.157:443 static.ads-twitter.com tcp
US 192.229.233.50:443 pbs.twimg.com tcp
US 8.8.8.8:53 157.168.232.199.in-addr.arpa udp
US 8.8.8.8:53 50.233.229.192.in-addr.arpa udp
US 8.8.8.8:53 14.37.18.104.in-addr.arpa udp
US 8.8.8.8:53 130.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 c.paypal.com udp
US 192.55.233.1:443 tcp
US 8.8.8.8:53 www.recaptcha.net udp
GB 142.250.200.3:443 www.recaptcha.net tcp
US 192.55.233.1:443 tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
US 38.47.221.193:34368 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.1.35:443 t.paypal.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 sentry.io udp
US 35.186.247.156:443 sentry.io tcp
GB 142.250.200.3:443 www.recaptcha.net udp
US 8.8.8.8:53 35.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 23.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 156.247.186.35.in-addr.arpa udp
RU 80.85.241.193:58001 tcp
GB 142.250.200.3:443 www.recaptcha.net tcp
US 185.196.8.238:80 185.196.8.238 tcp
FR 216.58.204.68:443 www.google.com udp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 193.241.85.80.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
IE 163.70.147.35:443 facebook.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 13.224.81.102:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.147.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 35.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 b.stats.paypal.com udp
US 64.4.245.84:443 b.stats.paypal.com tcp
US 8.8.8.8:53 dub.stats.paypal.com udp
US 64.4.245.84:443 dub.stats.paypal.com tcp
US 8.8.8.8:53 84.245.4.64.in-addr.arpa udp
US 8.8.8.8:53 login.steampowered.com udp
GB 104.103.202.103:443 login.steampowered.com tcp
US 8.8.8.8:53 api.steampowered.com udp
GB 104.103.202.103:443 api.steampowered.com tcp
US 8.8.8.8:53 talon-website-prod.ecosec.on.epicgames.com udp
US 35.186.247.156:443 sentry.io udp
US 172.64.146.120:443 talon-website-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 120.146.64.172.in-addr.arpa udp
US 8.8.8.8:53 c6.paypal.com udp
US 38.47.221.193:34368 tcp
RU 80.85.241.193:58001 tcp
US 104.244.42.130:443 api.twitter.com tcp
US 8.8.8.8:53 talon-service-prod.ecosec.on.epicgames.com udp
US 104.18.41.136:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 104.18.41.136:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 js.hcaptcha.com udp
US 8.8.8.8:53 136.41.18.104.in-addr.arpa udp
US 104.19.219.90:443 js.hcaptcha.com tcp
US 8.8.8.8:53 90.219.19.104.in-addr.arpa udp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 8.8.8.8:53 api.hcaptcha.com udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
DE 78.47.104.201:25565 78.47.104.201 tcp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 201.104.47.78.in-addr.arpa udp
DE 78.47.104.201:25565 78.47.104.201 tcp
DE 78.47.104.201:25565 78.47.104.201 tcp
US 38.47.221.193:34368 tcp
DE 78.47.104.201:25565 78.47.104.201 tcp

Files

memory/1232-1-0x00000000008C0000-0x00000000009C0000-memory.dmp

memory/1232-2-0x00000000009D0000-0x00000000009D9000-memory.dmp

memory/2180-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2180-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3340-5-0x0000000002ED0000-0x0000000002EE6000-memory.dmp

memory/2180-8-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A74C.exe

MD5 4519726054d955a2d4ef6c04bdb039bb
SHA1 e65507fc411da37edcfadb9f41f57c55edf77a4a
SHA256 4ee6c4aedb5280d1d4dce30cbac3910b99dd371bb62642876774896e5fdc2685
SHA512 a771a6bf1ce06108f12cbccf4f9a1fdc5c91b68cb81c0d5e9dc2550f2476b4e44666f3b44d954d0939527a4bc0538b632c09c0ed0eec3304f0e2a863562a2ffd

memory/4424-19-0x0000000000AE0000-0x0000000000BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A8F3.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\B9CC.exe

MD5 550c01e7ea3c65a51d952f1724aa2013
SHA1 9b4731841673c0865710315350cf2bdb22567be7
SHA256 d158bab438eeec28464ee81cbd063d150d1023437f72e59b498487809de22d1f
SHA512 4379fd196e929e5b12adf5a17eb25084114fb0efa5fd3ca163f2804be8b7132445f70a7006c591c9ec0a7bf2da5476ded7204b76ed094a2cac85c099641af62c

C:\Users\Admin\AppData\Local\Temp\B9CC.exe

MD5 df0378f5e3ad7715ea50ee20c9bcff8c
SHA1 53a0d77d1a5220e97f7d2b4f013f1a514532aa98
SHA256 4641962f22aca84024ca4e2a47a00cdbc112006e9e3a205182a5c5bffc9a9d6d
SHA512 a05033e7ba5d9160a9501d97b311195b78da2f1d4745330d491b814f6c56b08e0564422d8ae6b54f76f944e274249b34e3708430504de07b9be06549b1667624

memory/540-29-0x0000000000D90000-0x000000000185A000-memory.dmp

memory/540-30-0x0000000075760000-0x0000000075850000-memory.dmp

memory/540-31-0x0000000075760000-0x0000000075850000-memory.dmp

memory/540-33-0x0000000075760000-0x0000000075850000-memory.dmp

memory/540-34-0x0000000075760000-0x0000000075850000-memory.dmp

memory/540-32-0x0000000075760000-0x0000000075850000-memory.dmp

memory/540-35-0x0000000076F84000-0x0000000076F86000-memory.dmp

memory/3340-38-0x0000000003130000-0x0000000003146000-memory.dmp

memory/540-39-0x0000000000D90000-0x000000000185A000-memory.dmp

memory/540-42-0x0000000007F80000-0x0000000008524000-memory.dmp

memory/3560-44-0x0000000000400000-0x0000000000409000-memory.dmp

memory/540-43-0x0000000007A70000-0x0000000007B02000-memory.dmp

memory/540-46-0x0000000003260000-0x000000000326A000-memory.dmp

memory/540-47-0x0000000008B50000-0x0000000009168000-memory.dmp

memory/540-49-0x0000000007C00000-0x0000000007C12000-memory.dmp

memory/540-48-0x0000000007DF0000-0x0000000007EFA000-memory.dmp

memory/540-50-0x0000000007C60000-0x0000000007C9C000-memory.dmp

memory/540-51-0x0000000007CE0000-0x0000000007D2C000-memory.dmp

memory/540-54-0x0000000000D90000-0x000000000185A000-memory.dmp

memory/540-55-0x0000000075760000-0x0000000075850000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FDBC.exe

MD5 acccd7e5ad4a98954db46f3343849c68
SHA1 40ed1981fc9f2928dfee9e49364f4c0d79f12407
SHA256 cba32ce72f2e16a74622500e6f6a8c2fd63c2561a0df075559a2d262d6f21389
SHA512 a648f314d29e8391f7a0f7c0bdd9e022a4897a3d11307fe1577e5923c01537aed8e1f8d5dc6df28467126de4c2b953089a63df721cbb70d1c0c846b4ea48c429

memory/3420-61-0x0000000000400000-0x0000000000537000-memory.dmp

memory/540-64-0x0000000075760000-0x0000000075850000-memory.dmp

memory/540-65-0x0000000075760000-0x0000000075850000-memory.dmp

memory/3420-67-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3064-66-0x0000000002567000-0x00000000025F8000-memory.dmp

memory/3420-71-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3064-69-0x0000000002600000-0x000000000271B000-memory.dmp

memory/540-70-0x0000000075760000-0x0000000075850000-memory.dmp

memory/540-68-0x0000000075760000-0x0000000075850000-memory.dmp

memory/3420-63-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3420-81-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1192-85-0x00000000025B0000-0x000000000264F000-memory.dmp

memory/1124-89-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1124-91-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1124-88-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FDBC.exe

MD5 ac877577c200f91415efb81f6b99f16e
SHA1 2d2ed2be4a511b511590cc3a1e8309a24eb68f56
SHA256 10fd5b1fc721320063808d61df9f4a4cb961754ca619046804b1ae65f63a8436
SHA512 b3ad9ec9e0f7f962df4683b548d468dde8a0a372f3b0ed352e000412a13941437f3ac76b2b96f2d1d07b49994c04db86a2aa445a76b7902345f0d912ea507d7f

memory/3456-98-0x000001962FAD0000-0x000001962FC0A000-memory.dmp

memory/3456-99-0x000001964A070000-0x000001964A1A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A6F.exe

MD5 9760dcd4a81dbd946365c432100a29ab
SHA1 231b60c06591fadf031dd6dc4b50826e363cd701
SHA256 a075a4534aa34702a2bac590b94627260f39401ec55249545e8bcfc8a181e76c
SHA512 476a118bce15c7d50cec0f19dabc7a5241a3d43060f449f4a7c183b6c5e5c577d103e5b767229c77669f1d264d2ddcd5dc0ec140a37359097f6f2525b3079334

C:\Users\Admin\AppData\Local\Temp\A6F.exe

MD5 fa46f8bddcd649e7fd5dc0a3e7354e86
SHA1 a4d77ad0fc1839496a931e1cbaaf52a4f6a6929b
SHA256 f0e4a141c34925fa9951de9a2a8fb5c2cd2be5f697a664f9d59841c03dc66a81
SHA512 2453416822c6a7a20330c9d6d0960923a6da94919f3c4277ba16978b72db033425503ebb5f84d144be110c50753ddbf6ef7a8dbf22db272d843d9e31c8ec1f8a

memory/3456-102-0x000001964A070000-0x000001964A19A000-memory.dmp

memory/3456-106-0x000001964A070000-0x000001964A19A000-memory.dmp

memory/3456-104-0x000001964A070000-0x000001964A19A000-memory.dmp

memory/3456-112-0x000001964A070000-0x000001964A19A000-memory.dmp

memory/3456-114-0x000001964A070000-0x000001964A19A000-memory.dmp

memory/3456-116-0x000001964A070000-0x000001964A19A000-memory.dmp

memory/3456-110-0x000001964A070000-0x000001964A19A000-memory.dmp

memory/3456-120-0x000001964A070000-0x000001964A19A000-memory.dmp

memory/3456-122-0x000001964A070000-0x000001964A19A000-memory.dmp

memory/3456-124-0x000001964A070000-0x000001964A19A000-memory.dmp

memory/3456-118-0x000001964A070000-0x000001964A19A000-memory.dmp

memory/3456-108-0x000001964A070000-0x000001964A19A000-memory.dmp

memory/3456-132-0x000001964A070000-0x000001964A19A000-memory.dmp

memory/3456-138-0x000001964A070000-0x000001964A19A000-memory.dmp

memory/3456-136-0x000001964A070000-0x000001964A19A000-memory.dmp

memory/3456-134-0x000001964A070000-0x000001964A19A000-memory.dmp

memory/3456-130-0x000001964A070000-0x000001964A19A000-memory.dmp

memory/3456-128-0x000001964A070000-0x000001964A19A000-memory.dmp

memory/3456-126-0x000001964A070000-0x000001964A19A000-memory.dmp

memory/3456-101-0x000001964A070000-0x000001964A19A000-memory.dmp

memory/3456-100-0x00007FFA27A30000-0x00007FFA284F1000-memory.dmp

memory/3456-1024-0x00000196317C0000-0x00000196317C1000-memory.dmp

memory/3456-1023-0x000001964A1C0000-0x000001964A1D0000-memory.dmp

memory/3456-1026-0x0000019631910000-0x000001963195C000-memory.dmp

memory/3456-1025-0x000001964A1D0000-0x000001964A29A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A6F.exe

MD5 ab6c480932243f50e0a454c56f004271
SHA1 ab3fa047adaffc63ff21affbb859b2c7d9909414
SHA256 11d21d9e82be611845eff6de9e1e6b05c7a37a65dc5ee08e4c7550bab1c2bf91
SHA512 347f965412f9e423a18d1abbd6b77f110d6a95f1e230e3b88c9c12a80d03be6da8b6c9cae6e3b5255269a236e6f8837b9fe6b277fb5955547006857d3ca7bbc9

memory/3456-1032-0x00007FFA27A30000-0x00007FFA284F1000-memory.dmp

memory/4536-1034-0x00007FFA27A30000-0x00007FFA284F1000-memory.dmp

memory/4536-1035-0x0000028AFAC10000-0x0000028AFAC20000-memory.dmp

memory/4536-1033-0x0000028AFA230000-0x0000028AFA314000-memory.dmp

memory/4536-1031-0x0000000000400000-0x00000000004AA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\A6F.exe.log

MD5 bdd50fab193bb1a687efd2214c3ddd75
SHA1 2ed9874e543e755b7d7fb9f52fd687f2c287399f
SHA256 bfedba89a98eaff3bc2b9cabf01a9059f5a052e3849fb08f6fa00f845abc11e7
SHA512 318c4096b76cdb767ecc13ea9887098312140e2851c0a7b3e925d71bfc9ff03bc14bc8de9c3c38de39bc836368c0e29a09b9603d0769ebab4204895ae2f8c444

memory/4536-3235-0x0000028AFAB30000-0x0000028AFAB86000-memory.dmp

memory/4536-3234-0x0000028AF8930000-0x0000028AF8938000-memory.dmp

memory/4536-3237-0x0000028AFB7D0000-0x0000028AFB824000-memory.dmp

memory/4536-3239-0x00007FFA27A30000-0x00007FFA284F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8155.exe

MD5 343866b6a6e70054fd45b5b70c167d71
SHA1 ff18343bddce011e321d2e2527e1597a8a1764b7
SHA256 287578f515cd317dc2aa459ce90e3f4e7e91321e45f2438d83a38be8ff8b8e6b
SHA512 215a93c9ccad55ee9fb64455b1728fdfc83b109b697e543ea84023c181fc1a384d2f8ed91cbaccf7cad3b2da80810a0dd48493ef7d12a2a8520ba6bd4ac5d7e7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JH3Pl60.exe

MD5 9534a9e785a92f4eaef083273959dfda
SHA1 419049b2ecd169d661ff59e9f7cc7a2e21146473
SHA256 b9a3fe760fb8d3229390a49d642ff66aa4b793551ad3f57fa669d0c112ee6b45
SHA512 a63cc20e11c13d6b0ab6313ed46f3211c35cb875fad1169dc538bfa59285bbacf0eb3614d6e2d87dc3e6b032e209895bf82adc292d5876a8010ce4a655ba51cf

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wv74ig1.exe

MD5 02fd0696414ca61eb9f1ca114806f48f
SHA1 f9d67710e2c90e30cb3bfe22d400ea2081eb57e4
SHA256 35d4cd55c56a922f975b2c03580de16846ae2a4dba244694e0d6be279b7957f2
SHA512 89b0d17338eb86c86f5e2ad1201c9e932ac10c07bf4158f1f4495644c58a8a019d0892eb53a519519924703b08bd0c683f03089ca486b5b6ce10f86c8a0221c8

C:\Users\Admin\AppData\Local\Temp\8781.exe

MD5 7a721dbf14dd3eb263a9ae638f3b659f
SHA1 13452bd20b632687b51c9d0f9c1c4f80f0d14eea
SHA256 52c1c503ec181013e94aa9ec40f4dd18aa7f4f9b1205ac194d62e514fcb984de
SHA512 b1a9cb5ed60c364edb6f900cad5cd07377d08fce7782111bd94bd540598f22ad0768c56d50575eea2a896384c68f1f6d28a8d870809340e7df27fd88658a942a

memory/5060-3278-0x0000000000A70000-0x0000000000B70000-memory.dmp

memory/5060-3279-0x0000000000A20000-0x0000000000A6F000-memory.dmp

memory/5060-3280-0x0000000000400000-0x0000000000875000-memory.dmp

memory/5060-3281-0x0000000002930000-0x000000000297C000-memory.dmp

memory/5060-3282-0x0000000074470000-0x0000000074C20000-memory.dmp

memory/5060-3285-0x0000000004E70000-0x0000000004EBA000-memory.dmp

memory/5060-3284-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/5060-3283-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/5060-4360-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/5060-4361-0x00000000060B0000-0x0000000006116000-memory.dmp

memory/5060-4362-0x0000000006830000-0x00000000068A6000-memory.dmp

memory/5060-4363-0x0000000006A60000-0x0000000006A7E000-memory.dmp

memory/5060-4416-0x0000000007CC0000-0x0000000007D10000-memory.dmp

memory/5060-4417-0x0000000006BD0000-0x0000000006D92000-memory.dmp

memory/5060-4418-0x0000000007D10000-0x000000000823C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\grandUIAAHTeKkmPyTRAf\information.txt

MD5 055f731a0f36d356a2310f2b52716804
SHA1 649023214854ef56f73b08914372f0322cc79e66
SHA256 cac638df3956e9db09a51b1583dfe23ee3d8656057aecb3c4cc7f6fffd0a84e2
SHA512 45095e2455ca5cde771d22c6091d9ac018f64bc88b7a2f5097cb74e7a64e81383ef0739e3a96b4cb0a2ce36b77e0ca1f0633a12b4254f9b55e1caa96ea1055f1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4iK118kK.exe

MD5 1cdfaa1eee473908f5ce7bb3afe684a3
SHA1 b8dcfbcdce0d9e9544305a34f0a78aa8bd5ae696
SHA256 baf85ee8754fbdf535febfc0cb75b14d6ef7fd6a2c7360c162c8e7aee5027582
SHA512 bbbeafc751b78a48fa6302f2acf3bb4d4a1f6ea5045318602ba7327d1e3c113ed3ccc4a7f383a0ee928630984a30342fae30074abbca880586c4e4f6c2a0cb9c

memory/2452-4434-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\AceFlags\edkxlv\ContextProperties.exe

MD5 ab0443c4b5ae89cd913377183852ecb3
SHA1 23cf5fb65377cfe0af63adede50c50fb24dc32ab
SHA256 8252f99b0f6c26c5c6360c896b26d2acf273ec3c68cf2d883fce4727fe926237
SHA512 149ef11f5b394b29310bb43bac8dc7356fe08c8916359b85de8b05b6033c76cb3e230fcd7098bba9acaf7dfc4570aba479b6e9b05369043f1d24a7f5d78e7d7b

memory/452-4437-0x00007FFA27A30000-0x00007FFA284F1000-memory.dmp

memory/5060-5079-0x0000000000A20000-0x0000000000A6F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6vU0Xm9.exe

MD5 e026e57dd98b9ec6905eeb9029d283a5
SHA1 b3e8ce522957e750fcaa3064e2f92cf8e0cf1efb
SHA256 6ea7d4158185c52913184e7d30ad1704c1617498df243fc7eed2db7aeceb813c
SHA512 d367b0a121ba594164c022ddd051940eb5e7ac6173fbf727eaceeff75c2b9997cf651e69f01193ca70f2407c12370c020c3c45ad6653a1bcd4c2dbc566211c37

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 6f510336186066693c0e50dbdca8058c
SHA1 fec19f94c6a3b48fa5bd44a4ca5679a51677edc0
SHA256 e7a12a690182a12ff80f125e75a4367e9d2b95423e757336162eb58776426529
SHA512 e404a926f72c4c81c0e7ab566efc39b02c8bd0c1c5315dc092d4243b95474ddd0cf49e38ac16a1ba94e8be2a01d95a1da7643eebf40c12fe61fa47a1ec1d0886

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f5a4c6badd2d2e8a3304abb9a11472de
SHA1 e828b3d3ebdb7c9a0614a8ac841ab37ab02f43ff
SHA256 91565214f61d724e6cf0fc73439df2305bbed1fb0845c2df4e0bac7c6a9ab5e4
SHA512 5f1993419ead73faee9ab644bb8fe3c395e185d4c61e8e7fc89c675aa5a99debdad11415c1f0797f0af53598ab56d75dd934f395fdfdfe8a0646c67a20d99d46

\??\pipe\LOCAL\crashpad_3108_TSRTCMXJKSZEHSAH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fb6d3af95fb202111c335a6429cce2b9
SHA1 2248d939b57d489d5010cbb0b145bae9a3e542d6
SHA256 a3ebbd35be4eee71157065495bb97729695be28c1fa304c6affa3f1040f6ac5b
SHA512 a5f002f5e8f609f51257f6faa3198bc801862f86ba15b072c45a3969b7c2a810053b3b08ffbee511768999097e51914aa5e31cf9aa0cb7e0b9c301202ff108a6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 18ac56f55b45ad43ef4c540eb9e53c13
SHA1 6ff867440d65ea9a62f0fcee007b3a8fcb38676d
SHA256 cb7a8fcefbc59f32a5a5098adc16f9461572d2d2e905f23e18adeccc65e748ee
SHA512 b3768ec0a112d88ae3e41aafafb1e82af363a05596c0e55a0949fa666fe64db0d38258d69462c03eb404d86533aa0a2e5b20d85b8525693e6b27ceff185658df

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d771daf05c36d8f1ab1eab7c50eefb04
SHA1 501615405c13b63f7128babbdae5db206af832b9
SHA256 cadf46213fa6656008fe707d86da9c32b1b952c7496d3e2c20fb25f936102710
SHA512 0095c261d4409007d4934d7e1ae053aa7113f57f3ee287a0d15efcc126c9e1b23f2e110ca5337142c9527e0b75d85a56756ab10e8a55519d9c92d64c5f7d2611

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2d5a8a9bae24e72744e2be73664db2d5
SHA1 801e9e3918354e522054170703ecda9fa53d4171
SHA256 461315d3eeb1ec6a4e2693d22dfa7f5b7e84579204e2fd7e8203c7a57a213a7a
SHA512 7fdcc65041be2e4298c13d6f88953163507a7fb1196303052986d014d875415130476a19a62eba97c56e3308068a9fd91080db5eef4e526c4695c62e37e8dad4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4e6f644955f0d6cca6994cad0581651c
SHA1 7db9719db5dfa657a3eba5bee75e7c2880a7bb6a
SHA256 8883e868f20f4340438bb1238a9b646ccbb468af3bf50c08d76f8e607f1d1188
SHA512 fccf10fe178195c3a348a81f7c86d17472cb6007b2fa55a80bfb51117398d68866f2be6570284daecf326e52b58c15d69525b29fcbd78aaf205c9d7607457c7c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 867271f7721b0ca41c58527c0957ac94
SHA1 37a546c96926eaa1ba1f4f11e27147c827c0ebd9
SHA256 8b4607c0bf9fd31fd09f99badfe9995ff45f11d23c3e3a498cd8884e044805e7
SHA512 5213c0b314bdf35daf4504560520e997b2f93a81aeab55f5f2a13c26633b8039351a98bd14536102490af927930a682ffdec72958c684decfbf396cf96414ace

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e1c309d5768662d9743bd9a33a44bca7
SHA1 e703b753b3ca028ae06627840c462ec27176e911
SHA256 007a93e7c46332f35cf4c11710abe2c2253e0e787610715ee9563b87ae694865
SHA512 23c75af4175c7ab811cd139fdd3ddc70e351cf9a344a456ec26e151b5e079045c4831e03e14ad4a1efc512466e5d52101954a96a818ad9afb076028abc308d97

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6a77caf4b8a36ef112228c4e403379aa
SHA1 a064e61871b33c43910b391984489c640604304c
SHA256 1203fa24510deb0fef507e042602fd271c49761e32daea8644c12f9c7cbb34db
SHA512 b59a567f2b5965df622ea057a15b02e4b6b63845d39848dc1c77c701dc85ea28985845a7886411074766b9a580c7e99021dbbb203d1a620c574486b57e9e10b1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bc8fa343ed45ee5c8a8e444ff448b9eb
SHA1 9c5d99bbce54753c1883574ea2324741b25a42d9
SHA256 8467d93416d631110acf226908676642de21a0f16c59fc434e765cc9ae4d8bb8
SHA512 8af0ec2d19b5e04e8a0bfbb625b9eab94a1b1bcb32a3d75b401b2eca584423755b870fce8906c5be2a1d2c92acd5e440688b8bc82703c1b8d2e190030f87d08c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 79ee199d139b247c1cbb9f6c4e7c70a3
SHA1 006dc05421727f7f7bb54fafeb2aa1ecfc118d07
SHA256 105fca020c6e738b89e1df16c225a1dee15a35e8a2f51880f8ed70862fb8633e
SHA512 fc24fd31b596306e42b8a89452c3449ae14a3b71427fb5a8c47664bdba5b5a161083d9da41c1e18f67b254ebef519702b5717feaaccd3ea95cfa1af80fc3a522

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

MD5 923a543cc619ea568f91b723d9fb1ef0
SHA1 6f4ade25559645c741d7327c6e16521e43d7e1f9
SHA256 bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd
SHA512 a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

MD5 909324d9c20060e3e73a7b5ff1f19dd8
SHA1 feea7790740db1e87419c8f5920859ea0234b76b
SHA256 dfc749d2afefe484d9aa9f8f06d461ad104a0ca9b75b46abfaaddda64a5e9278
SHA512 b64d2dce1f9a185fbb8a32adc1ff402d8045d379600bf3f9154bbde18303610f18af9fce258442db1e621ecf10b77aafe99cffedfcbe2a1490056c50cc42d0f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

MD5 d55250dc737ef207ba326220fff903d1
SHA1 cbdc4af13a2ca8219d5c0b13d2c091a4234347c6
SHA256 d3e913618a52fe57ab4320e62a5ace58a699d6bce8187164e198abe3279726fd
SHA512 13adff61e2cfa25dc535eba9d63209b7e7e9bd29fc4d6c868b057df7f680aa66ef5783a0e82a8367185debf7f6fe5bae89adc0770daff5317d2e16db5ad3ab39

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ad1d08fafab406f08940572faeccc5ea
SHA1 48e2406182eae7f2a2e57946173b2bad9cd0ef9d
SHA256 d2121278f87a7a87ca4a95cbd7b0ac69a7466229a89f567172a36f63f4a12983
SHA512 cfd14271edc8204ddfc18e8bafea801b1cf1d428508241267d001a6cf76dcc6d6910431a91edb09704e76d01caab20e5f440f42cf62ac29c3fecf39a28194d34

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe591e8a.TMP

MD5 8ba5581b9370f293b122bd828c67f0b1
SHA1 49012bb26484146af8564e3af48015a9403d5981
SHA256 1c373767e0fee90c5f8761e39f300aee5d5f9900f9d23d1af3655d7a6347bf6f
SHA512 ecc2f634f848ff7d35a5d5b66cede3bedc142229223487c1ea67d33ce1d7148911392b8837085a0a6d7bfe3924b779c92f877a6a20af37e8d5f9e5e6430c65ec

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b864f0525dcdbb526d6b16c0f1ec4984
SHA1 494caea3291313821124a7f89881c65a5dadac05
SHA256 06a09786f7b41be2b69e49ca5dd5c8b881246f1911be18e53f6aa6f67f0d86ba
SHA512 6b2931e06a3129ab72a39232593543c233720892183379b3c2a8d3aa9980260dc42fa8645d9de28a61a31192781c124acc8ee1a60d37818fd5336ba2683637de

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

MD5 b3ba9decc3bb52ed5cca8158e05928a9
SHA1 19d045a3fbccbf788a29a4dba443d9ccf5a12fb0
SHA256 8bd1b2afcbe2fa046b0937197f1b2f393ef821ff89331f99754b9006f0114df4
SHA512 86a86d370e96fa29c0c1d12991c2287936b400830869ff7b5abe4de6f32db2df782b626d724496cd6de27f8cbd32101ba34cbcd4c650ef11afa26bc048d68529

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

MD5 6e170709283e05c8975f46bc96e70a3c
SHA1 d1ab6b04c039aef196e88b0ee1db2fea6d870c05
SHA256 b691e5e1367dcf01bd2cc1330c5dca37b959cf00d70c038a931238399a33d1ed
SHA512 4aa832328401cc2ec9515a6d9f1ad17cd6c10f37f18bc479387b99bc1655ab8cf532f9c455b470c508c7f7899905203427b9541cec20633c954ca0cd3625f6eb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 851f9ee1834e977818429ab7fbafda41
SHA1 098997847655e9f65f5fdfedc3b5bc2d28d6e698
SHA256 1ace6c3605a29a905c19311a1ad6d0396ceace09d3d287aebe3cd7aed7329b60
SHA512 4de5e5391329bbadb910fa9ec85a186d5166b0e9393d5349ac92a0bc964664b264174132769bfe00078407a02eacfd9c4dfa43929c9ce43cc9afeb8c9d06e825

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 f7f82800b5d13b1970935570eafb9b15
SHA1 bb8b3773d5b53b39e524cc8e452887009364b7f3
SHA256 7434996216a5f10ec22b48cf3dc04caf2cd14763b376a02210e3786e1fdacdbf
SHA512 4625049ff8944ea53187de11760d99334dc117ee64718b16a0ffef696247f54dfdda083c6d6b3e481841b03faed53027d97d0b50294f30af0cb6638cd37025ac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 9854c3a8ea22be149fa93a33fbcd2df8
SHA1 b1ec719b433e99985a50cf175229df178ce60b4a
SHA256 c293ea22d49f99b4cc7eef6dbcd662d67d3fc8cd7311ece420771b107ee9c7dc
SHA512 4971900442eca91f07881da67d5337df49930518462015825e7542c72f9e4aae1cecc6ddf8014d67f34ac6bb945ea06322daf925ad0a1cfd07d4c49f6deef745

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 9f87f0858a82eb61c49284264643a188
SHA1 beb8afbf0e6c9d749a953cabb64587a0281bcc28
SHA256 099094f0162fee153fece58f3fc4442e78a95b574dd841d396c37802f59729f6
SHA512 64f2d7e004b0b1e5b3268c8bec9621d344ca46c6fb508c9850e3daeeed27d33aae5ca84ed9eeb7879a0e0ddd6f740b31ea3abcec98b76bbc19dcd429a0f3b2a9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 52ac07d4f055f75d120ba683535e0aa2
SHA1 7b42d45c7165f578de4e8898a5b2774087a7456b
SHA256 0cffca2d4b6746fec5946b8ecc8721e12ccebe6a87122e86d26ab0442e107f54
SHA512 a27b466c0485df447eca0d5b8243f16b378963dcc97a2c419c0e3200490f8b2b6d190523fd12226358d6447e1bb0d320e2f5e13b03a8fc4783621f389d986272

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ba78de91f43c32f87ab4722e01af8d77
SHA1 a3da65511204545b039e5026a9ad53ec27c981b3
SHA256 e58cfb69b7b5c8c02c22e158b56906f5398466d65c59ee74f270fc3a82a730df
SHA512 ce1a80cb770cc585913131379e2c06467cdc756523ab81d90b616f5dfd9af49e9d855965f5419c78eeb9b0e1c2d417a02564c9869eccc97e1c895788162e0af2