Malware Analysis Report

2025-01-02 03:48

Sample ID 231213-b2gdcaecdl
Target 033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d
SHA256 033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d
Tags
dcrat djvu lumma privateloader risepro smokeloader pu10 backdoor paypal collection discovery infostealer loader persistence phishing ransomware rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d

Threat Level: Known bad

The file 033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d was found to be: Known bad.

Malicious Activity Summary

dcrat djvu lumma privateloader risepro smokeloader pu10 backdoor paypal collection discovery infostealer loader persistence phishing ransomware rat spyware stealer trojan

RisePro

SmokeLoader

Detect Lumma Stealer payload V4

Detected Djvu ransomware

PrivateLoader

DcRat

Djvu Ransomware

Lumma Stealer

Downloads MZ/PE file

Modifies file permissions

Drops startup file

Executes dropped EXE

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Deletes itself

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

Accesses Microsoft Outlook profiles

Checks installed software on the system

AutoIT Executable

Suspicious use of SetThreadContext

Detected potential entity reuse from brand paypal.

Drops file in System32 directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of UnmapMainImage

Checks SCSI registry key(s)

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Task Scheduler COM API

outlook_office_path

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious behavior: MapViewOfSection

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-13 01:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-13 01:38

Reported

2023-12-13 01:40

Platform

win10v2004-20231127-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\fb6eff3a-e323-4d9f-83d9-03b8ee3ef521\\E521.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\E521.exe N/A

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Lumma Stealer

stealer lumma

PrivateLoader

loader privateloader

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\E521.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Mg8373.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Mg8373.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Mg8373.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Mg8373.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\fb6eff3a-e323-4d9f-83d9-03b8ee3ef521\\E521.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\E521.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\F5CC.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ja9MQ57.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Mg8373.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Detected potential entity reuse from brand paypal.

phishing paypal

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Mg8373.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Mg8373.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Mg8373.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Mg8373.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\jeajsia N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\jeajsia N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\jeajsia N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Mg8373.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Mg8373.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\jeajsia N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2488 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe
PID 2488 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe
PID 2488 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe
PID 2488 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe
PID 2488 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe
PID 2488 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe
PID 1972 wrote to memory of 3740 N/A N/A C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 3740 N/A N/A C:\Windows\system32\cmd.exe
PID 3740 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3740 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1972 wrote to memory of 1028 N/A N/A C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 1972 wrote to memory of 1028 N/A N/A C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 1972 wrote to memory of 1028 N/A N/A C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 1028 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 1028 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 1028 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 1028 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 1028 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 1028 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 1028 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 1028 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 1028 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 1028 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 8 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Windows\SysWOW64\icacls.exe
PID 8 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Windows\SysWOW64\icacls.exe
PID 8 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Windows\SysWOW64\icacls.exe
PID 8 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 8 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 8 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 4100 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 4100 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 4100 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 4100 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 4100 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 4100 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 4100 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 4100 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 4100 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 4100 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\E521.exe C:\Users\Admin\AppData\Local\Temp\E521.exe
PID 1972 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\Temp\F5CC.exe
PID 1972 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\Temp\F5CC.exe
PID 1972 wrote to memory of 2956 N/A N/A C:\Users\Admin\AppData\Local\Temp\F5CC.exe
PID 2956 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\F5CC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ja9MQ57.exe
PID 2956 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\F5CC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ja9MQ57.exe
PID 2956 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\F5CC.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ja9MQ57.exe
PID 4232 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ja9MQ57.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe
PID 4232 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ja9MQ57.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe
PID 4232 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ja9MQ57.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe
PID 3820 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3820 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3820 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3820 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4316 wrote to memory of 3472 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3172 wrote to memory of 1324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3172 wrote to memory of 1324 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3820 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3820 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2088 wrote to memory of 3260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2088 wrote to memory of 3260 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3820 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3820 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2984 wrote to memory of 4092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2984 wrote to memory of 4092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Mg8373.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Mg8373.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe

"C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe"

C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe

"C:\Users\Admin\AppData\Local\Temp\033ce95b4642598f17181c3cfd35e07532a16fec52375484803b79b62cf9c65d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D0EC.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\E521.exe

C:\Users\Admin\AppData\Local\Temp\E521.exe

C:\Users\Admin\AppData\Local\Temp\E521.exe

C:\Users\Admin\AppData\Local\Temp\E521.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\fb6eff3a-e323-4d9f-83d9-03b8ee3ef521" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\E521.exe

"C:\Users\Admin\AppData\Local\Temp\E521.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\E521.exe

"C:\Users\Admin\AppData\Local\Temp\E521.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1408 -ip 1408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 568

C:\Users\Admin\AppData\Local\Temp\F5CC.exe

C:\Users\Admin\AppData\Local\Temp\F5CC.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ja9MQ57.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ja9MQ57.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fff535f46f8,0x7fff535f4708,0x7fff535f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff535f46f8,0x7fff535f4708,0x7fff535f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x14c,0x170,0x7fff535f46f8,0x7fff535f4708,0x7fff535f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x14c,0x16c,0x7fff535f46f8,0x7fff535f4708,0x7fff535f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff535f46f8,0x7fff535f4708,0x7fff535f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff535f46f8,0x7fff535f4708,0x7fff535f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7fff535f46f8,0x7fff535f4708,0x7fff535f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fff535f46f8,0x7fff535f4708,0x7fff535f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,12060759296371759813,76880810976692341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,6207617103694942793,7234828070374252782,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,2674167083798641804,15963619099388881450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,2674167083798641804,15963619099388881450,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,6207617103694942793,7234828070374252782,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1984 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,11484408056293323259,16850089396883985186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,11484408056293323259,16850089396883985186,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,17963123020035663457,6369049871419578103,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,17963123020035663457,6369049871419578103,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,12060759296371759813,76880810976692341,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7fff535f46f8,0x7fff535f4708,0x7fff535f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7fff535f46f8,0x7fff535f4708,0x7fff535f4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4272 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Mg8373.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Mg8373.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,11128717620380130097,8399782826560661502,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,11128717620380130097,8399782826560661502,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7752 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7752 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6872 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7552 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7620 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6912 -ip 6912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6912 -s 1776

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7wd5pG26.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7wd5pG26.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6568 -ip 6568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6568 -s 1008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7344 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4447946078368859798,6325748589152534130,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8180 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Roaming\jeajsia

C:\Users\Admin\AppData\Roaming\jeajsia

C:\Users\Admin\AppData\Roaming\jeajsia

C:\Users\Admin\AppData\Roaming\jeajsia

Network

Country Destination Domain Proto
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 24.52.193.212.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 brusuax.com udp
BA 109.175.29.39:80 brusuax.com tcp
US 8.8.8.8:53 39.29.175.109.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 109.107.182.45:80 109.107.182.45 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 45.182.107.109.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 store.steampowered.com udp
BE 74.125.71.84:443 accounts.google.com tcp
US 8.8.8.8:53 www.facebook.com udp
US 92.123.241.50:443 store.steampowered.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 84.71.125.74.in-addr.arpa udp
US 151.101.1.21:443 www.paypal.com tcp
US 8.8.8.8:53 twitter.com udp
US 104.244.42.193:443 twitter.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 steamcommunity.com udp
GB 142.250.200.46:443 www.youtube.com tcp
GB 104.103.202.103:443 steamcommunity.com tcp
US 8.8.8.8:53 www.epicgames.com udp
US 18.210.105.79:443 www.epicgames.com tcp
BE 74.125.71.84:443 accounts.google.com udp
US 8.8.8.8:53 50.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 193.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 103.202.103.104.in-addr.arpa udp
US 8.8.8.8:53 79.105.210.18.in-addr.arpa udp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 94.95.9.65.in-addr.arpa udp
US 8.8.8.8:53 51.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 142.250.200.46:443 www.youtube.com udp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 i.ytimg.com udp
GB 216.58.213.22:443 i.ytimg.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 23.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 22.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
FR 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 abs.twimg.com udp
US 8.8.8.8:53 api.x.com udp
US 8.8.8.8:53 api.twitter.com udp
US 104.244.42.130:443 api.twitter.com tcp
US 8.8.8.8:53 video.twimg.com udp
US 104.18.37.14:443 api.x.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 t.co udp
US 8.8.8.8:53 pbs.twimg.com udp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
GB 151.101.60.158:443 video.twimg.com tcp
US 192.229.233.50:443 pbs.twimg.com tcp
US 104.244.42.5:443 t.co tcp
US 8.8.8.8:53 tracking.epicgames.com udp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 54.87.226.161:443 tracking.epicgames.com tcp
CZ 65.9.95.66:443 static-assets-prod.unrealengine.com tcp
CZ 65.9.95.66:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 www.paypalobjects.com udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 68.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 130.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 14.37.18.104.in-addr.arpa udp
US 8.8.8.8:53 141.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 158.60.101.151.in-addr.arpa udp
US 8.8.8.8:53 50.233.229.192.in-addr.arpa udp
US 8.8.8.8:53 5.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 66.95.9.65.in-addr.arpa udp
US 8.8.8.8:53 220.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 161.226.87.54.in-addr.arpa udp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
N/A 224.0.0.251:5353 udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 facebook.com udp
IE 163.70.147.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.147.35:443 fbcdn.net tcp
US 8.8.8.8:53 35.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 c.paypal.com udp
US 192.55.233.1:443 tcp
US 8.8.8.8:53 soupinterestoe.fun udp
US 8.8.8.8:53 www.recaptcha.net udp
US 172.67.221.65:80 soupinterestoe.fun tcp
GB 142.250.200.3:443 www.recaptcha.net tcp
US 192.55.233.1:443 tcp
US 8.8.8.8:53 dayfarrichjwclik.fun udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 65.221.67.172.in-addr.arpa udp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
US 104.21.80.57:80 dayfarrichjwclik.fun tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.1.35:443 t.paypal.com tcp
US 8.8.8.8:53 neighborhoodfeelsa.fun udp
US 172.67.143.130:80 neighborhoodfeelsa.fun tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 diagramfiremonkeyowwa.fun udp
US 172.67.183.217:80 diagramfiremonkeyowwa.fun tcp
US 8.8.8.8:53 b.stats.paypal.com udp
US 64.4.245.84:443 b.stats.paypal.com tcp
US 8.8.8.8:53 login.steampowered.com udp
GB 104.103.202.103:443 login.steampowered.com tcp
GB 142.250.200.3:443 www.recaptcha.net udp
US 172.67.161.55:80 ratefacilityframw.fun tcp
US 8.8.8.8:53 57.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 35.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 130.143.67.172.in-addr.arpa udp
US 8.8.8.8:53 217.183.67.172.in-addr.arpa udp
US 8.8.8.8:53 84.245.4.64.in-addr.arpa udp
US 8.8.8.8:53 reviveincapablewew.pw udp
US 8.8.8.8:53 cakecoldsplurgrewe.pw udp
US 8.8.8.8:53 opposesicknessopw.pw udp
US 8.8.8.8:53 politefrightenpowoa.pw udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 55.161.67.172.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 dub.stats.paypal.com udp
US 64.4.245.84:443 dub.stats.paypal.com tcp
GB 104.103.202.103:443 login.steampowered.com tcp
US 8.8.8.8:53 sentry.io udp
US 35.186.247.156:443 sentry.io tcp
US 8.8.8.8:53 c6.paypal.com udp
US 151.101.1.35:443 c6.paypal.com tcp
US 8.8.8.8:53 156.247.186.35.in-addr.arpa udp
CZ 65.9.95.66:443 static-assets-prod.unrealengine.com tcp
US 104.244.42.130:443 api.twitter.com tcp
US 104.244.42.130:443 api.twitter.com tcp
US 8.8.8.8:53 talon-website-prod.ecosec.on.epicgames.com udp
US 104.18.41.136:443 talon-website-prod.ecosec.on.epicgames.com tcp
US 35.186.247.156:443 sentry.io udp
US 8.8.8.8:53 136.41.18.104.in-addr.arpa udp
FR 216.58.204.68:443 www.google.com udp
US 8.8.8.8:53 talon-service-prod.ecosec.on.epicgames.com udp
US 172.64.146.120:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 172.64.146.120:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 172.64.146.120:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 js.hcaptcha.com udp
US 104.19.219.90:443 js.hcaptcha.com tcp
US 8.8.8.8:53 120.146.64.172.in-addr.arpa udp
US 8.8.8.8:53 90.219.19.104.in-addr.arpa udp
US 8.8.8.8:53 rr3---sn-q4flrn7y.googlevideo.com udp
US 209.85.165.136:443 rr3---sn-q4flrn7y.googlevideo.com tcp
US 209.85.165.136:443 rr3---sn-q4flrn7y.googlevideo.com tcp
US 209.85.165.136:443 rr3---sn-q4flrn7y.googlevideo.com tcp
US 209.85.165.136:443 rr3---sn-q4flrn7y.googlevideo.com tcp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 8.8.8.8:53 136.165.85.209.in-addr.arpa udp
US 209.85.165.136:443 rr3---sn-q4flrn7y.googlevideo.com tcp
US 209.85.165.136:443 rr3---sn-q4flrn7y.googlevideo.com tcp
US 8.8.8.8:53 api.hcaptcha.com udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
GB 142.250.178.14:443 youtube.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
BE 74.125.71.84:443 accounts.google.com udp

Files

memory/2488-1-0x0000000000A80000-0x0000000000B80000-memory.dmp

memory/2488-2-0x00000000009C0000-0x00000000009C9000-memory.dmp

memory/3860-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3860-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3860-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1972-5-0x0000000002CA0000-0x0000000002CB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D0EC.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\E521.exe

MD5 d6709cc2adb09d6ff003d52ece25c894
SHA1 1f5b110ab3549efac240ff309bbcb934c26a072a
SHA256 fb5c249e2a353691a022f786fabcdc80037824e1f018ddb01d2a5f68c62e2167
SHA512 9501a3818f7e478f546438582a654592bc2c541cdb7d1b54dfb931672a6da74b5e0c3b6a9ee5080dd604762bdb7be3222c931223acc7c79c51b3b06ea72e002d

memory/1028-23-0x0000000002560000-0x00000000025FB000-memory.dmp

memory/8-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1028-24-0x0000000002600000-0x000000000271B000-memory.dmp

memory/8-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/8-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/8-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/8-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4100-41-0x0000000002460000-0x00000000024F4000-memory.dmp

memory/1408-44-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1408-45-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1408-47-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F5CC.exe

MD5 7f2f5a15034c540ea8e93d89465f4afb
SHA1 6f09c036c6bd48f68cc96899442c3105c8c9427f
SHA256 63affcd7bd9f4ec501f0c51e1b544cfb4f9ff324bbb6712eb31d5847d850f82e
SHA512 5ae0c8f8c07b853611569e78bfda61cc740b9104a6417ce2f5b03b0d4fc4f201a73f2f8ea3c50e38ca035a791b8a51ad612e3d2dc3d17b91f7587ba22ecf2e83

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ja9MQ57.exe

MD5 b054796f03233e6e94d4c4c1febace44
SHA1 a42cca353c5b35175473fc94f2a657e7b3d66547
SHA256 1282cecf79b7f71630a17af04c7aec43a86c5014db19290d4bbfbf16627032e4
SHA512 3ffc08f32aca33635f0bf0df668d9a9c47db3ae2d990a3d36aea56da40402c8267f188ec66b47c652174aed1a4ac56bbefbc6d835d3b6ee99341c7559b08083b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Um41Rf4.exe

MD5 5bbc7a3d49619274f68255308fd8f041
SHA1 1c3ff2468cf6122c1754df2c6f61a1fc76c535f1
SHA256 e88fd25b815bd13ef3b9403cc6cca2121b480266685a3eb91f3176e9973e7086
SHA512 f5fe13448cde9c07c8cc0b15eee36d3dc0ed6da035867b78e8ff0dc0ddd5adc0a60f58e11226fc0bdfdbcb76734a36b3600d514fbfa3881763feac110700251f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d94c59e136e2bc795637c1c05e315e35
SHA1 0ec32d5c51c34e9215b5390e7aa4add173310f01
SHA256 ad71bfe2069efebb4ca211ae6ec21473fc1b43dd3269b8523c5b67da6edcb41f
SHA512 57a5c50bd9e87b20200ecbd18ed2bd7712a46fcb9f5ce3d3aecdb768bcfa52d5025f9fd40523015414aeac3e8c94c9ab1caa6ae006dc4e9e7ab58c92607ffd6c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 890585f0e978711e84e103f4e737e1b8
SHA1 12b9a7b4a1a016c8a0d4458f389135ed23574e27
SHA256 c83ee823a77974192ee702a6b550e28046fe4f60798e471e7b5b75c1f623c092
SHA512 246b774837bfb5c3f158024986fb040419974c7a8c1e6f6875e713760385084b32cfa294a5195598e7968632d1e2e4f553545f6d084cb4e5204a868aabdc0297

\??\pipe\LOCAL\crashpad_3172_AYLXNOXMBOFDLCAJ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e9fa9d5ff344fe84929953ea8f1ac89e
SHA1 ce42cc307f9483b22658fe43842937aad6ef82d7
SHA256 4df540d9338a2af44fc263ca1ba3c93140adb34925b3452f278c3088776da8e7
SHA512 82267d72f15f9e9b6968b09973385573fb7b3a59bd8ee206deb354e9d69802bdc63e9d4113b56bf57ef871a2418c2f65495349d3383a3b0b5dea2cd7af1129bb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 656ec6232aaf288f4eddbb1bf63fce69
SHA1 d1576f8188370243d4bce8400492f9a5b3f5cc94
SHA256 143e02dc9e027aaecf073d2bfe4d1e0067427fcf9b259539283334680f4203bd
SHA512 41268e355f146d70fc7b2ab1fd4358d3f0f5ac4a7c971e78a35d63a5ea492e4f0cafe45a1bd44941a2b8047c1ca50fc1e4c13eea8732710734a60b67a233ebba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 577fbb1605de6f9d707b1536af15c754
SHA1 4c147bb938e1a8028862f02e4e122025672957eb
SHA256 9e91a304a6152e74f396aa23ece934648b8d809c82606ab94ea4c0dbdc6a94c4
SHA512 a1c3a488f497dde78157b698b3e613d2d8bf70544437b299cdba7443c976f0b528b6cb8a1f4cbab3e6ca5c1e10d43e64bdd87ad7eed8dfa62eabff5061c5ac99

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 23e72bf8971dd9b4ba6f021692077a91
SHA1 6c73cb21e424370fed7d606f7b6c054bfacf5ae7
SHA256 976ece6f125316f931717cfb465a3c6f9b24c11acaa699465e97a10f402a4ae4
SHA512 17811eb145dfba3983dc0e3f6d67495264ea99b511162d6b49195df657a1fe22d1e4b7dfce810c319aeb0f5e530f28e644fb826340dac3d1624f9d99fd470799

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2Mg8373.exe

MD5 f8e7488fd4ced59d6eb387447bc37430
SHA1 560ed0a592273875ae66a93efd611f76a9da7ee7
SHA256 30d11b5bd1ed2f376bb2c6dd47299a54702bf9cfdfc0d32e5f50c1adf83ae347
SHA512 0e7445eb71a24e10c13a706189cc972d9d590bbd456f27b4008243161868fc6b0e86fd8fadf42f61502aa913f39e2a3fedb7de236b80a2bff05378b7ade6cdb2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c7027d2efa4ea21c0dd20943dd348cb7
SHA1 00a4ad7f06ced9848a94f5bd86822cd64a983ecc
SHA256 1a2435cd5be7c4ad76c644ce94d4e58405a8bba0827660f26353e011f52045ae
SHA512 f9dee2f8ab5dbbc14aef56bf3b82bb83279b169adc245531b706cd2e2748cb04d2f4b7271393ad8b0b8910214cd27f0795fe8fd6d02a621e8408be060140dd6b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bc38313c6d639f99d39598e62e7fdfb0
SHA1 f8d795d751f70b3f8c840bcbbe0bdea1bbdd917b
SHA256 f2a45da7571d7a085a8700457793c9200c8abead97a4a9ccc4f180390b3be0bd
SHA512 72b220b394d079d5b5c5ca5aed5ffdce11000952cd6489b303c44b517ac5ee8b95cfa33b2d888c65ba032d384c708fccfd2ba3354a2f866c1303d0a1e7835462

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0719789823ef9256750f63a1e124a0cf
SHA1 a9e237fdc33d798a1e7810d1025a0c333def4645
SHA256 37fe9a37425159834944f6d82e44ab02e952d830664eb5ab0ba1ace2cbd378d2
SHA512 6a1df034341855a29c3174b3b58b0b5a6b37a823ff791f1feef9ce214fdd6666700b926498ce38d0322904641f838ef8cdd0a8a1d87795270e4d0f96ea5b3676

C:\Users\Admin\AppData\Local\Temp\posterBox2fJQ8maZ0O5as\QdX9ITDLyCRBWeb Data

MD5 250f6cee6a8be4a85cd0d78b8f9ac854
SHA1 48a5be711abe88c0efb7204f6c792e67a99d390a
SHA256 21e090219937792f360789c94785cf969cf22fb9e2ae145dec419dc4beab1321
SHA512 4685c2cbc34566879e5c494f1433996ce9541e048a87036876d0ec426a02a13af6ed606575306522def4dd19a3fcc34b95335f492b21960b28e8f12be82a35b7

C:\Users\Admin\AppData\Local\Temp\posterBox2fJQ8maZ0O5as\ZunTSaNJLBVfWeb Data

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

MD5 6dfb28a6390f63171f06e77ea2e7465a
SHA1 415dbb91566f810a83c3c6efa2e4dd2c4084c276
SHA256 3cfe4ed506d1ee431d75dfab4e2f1ada2fd30e8d7664061d9fd706b3ed9c4b98
SHA512 333b19faaa15c61ee44793bb4c2222663070ebf6463fb85115f561bba0abff09ab8a88f5dcad8f31ccc496b42930d137c865515c78ecb0a0adf994d64354ba56

C:\Users\Admin\AppData\Local\Temp\grandUIA2fJQ8maZ0O5as\information.txt

MD5 b94646328963be28d6d5b63eb794b54a
SHA1 a8164ffd45821c98a8ba013e7bf7310d75878d9b
SHA256 f68ff6d25f66fd0dfdfa10cdcfb49080004bcd4a0bc9e7bf67e2f86100958c61
SHA512 48e00a3b59b0cce50e5f5272227875d52665fd924f54808f281bbcb2f5ae7e16aec07986270d2606fe72e9e69e8c922c8863cc9c85be01f29bdc9b72fd1e8e7a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5d32164d49a7709d8cfaeb8501d0b984
SHA1 5a64294dc1c27930d38136efe69d5efd57638e7d
SHA256 0f9863874575911062a65a838487704194c66a45c231539e3560acb81b8d1923
SHA512 c24cd42c01345bac6853922d6cc6aeb42f05af002572ddcf83910912072892842263c07d8e8ebf1b860d3fbeedb707de996029e1997ef535d44d5bbc98ebe75d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

MD5 923a543cc619ea568f91b723d9fb1ef0
SHA1 6f4ade25559645c741d7327c6e16521e43d7e1f9
SHA256 bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd
SHA512 a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 909324d9c20060e3e73a7b5ff1f19dd8
SHA1 feea7790740db1e87419c8f5920859ea0234b76b
SHA256 dfc749d2afefe484d9aa9f8f06d461ad104a0ca9b75b46abfaaddda64a5e9278
SHA512 b64d2dce1f9a185fbb8a32adc1ff402d8045d379600bf3f9154bbde18303610f18af9fce258442db1e621ecf10b77aafe99cffedfcbe2a1490056c50cc42d0f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 d55250dc737ef207ba326220fff903d1
SHA1 cbdc4af13a2ca8219d5c0b13d2c091a4234347c6
SHA256 d3e913618a52fe57ab4320e62a5ace58a699d6bce8187164e198abe3279726fd
SHA512 13adff61e2cfa25dc535eba9d63209b7e7e9bd29fc4d6c868b057df7f680aa66ef5783a0e82a8367185debf7f6fe5bae89adc0770daff5317d2e16db5ad3ab39

memory/6568-612-0x0000000000AF0000-0x0000000000BF0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c94a8b4b8c59008153ce4e7982ec790e
SHA1 85d1b363873ac4f48b4a7a13e3ce86a28620fe14
SHA256 279a384996e8f8716fb5871fb29a8b9094b43dd7990e97196186ab139c55ca5e
SHA512 651611456db121be3f82f8b324e2cf7d21be1d0e4d3ec64c9f727a38903f0efdb843f8df6eb781c240081d6cd614c73bc948f22535bfe41b571b2324d5e2eb0e

memory/6568-622-0x0000000000A30000-0x0000000000AAC000-memory.dmp

memory/6568-623-0x0000000000400000-0x0000000000892000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 a553ed37741112dae933596a86226276
SHA1 74ab5b15036f657a40a159863fa901421e36d4fa
SHA256 ec16b2f20ead3d276f672ae72533fcc24833c7bcfd08e82abf8c582e1bed5e87
SHA512 25d263aeeda0384b709e1c4ec3f6dba5cfcb8577e026d66846c2045b543f6446439b946163b1ea8f7e53cc6ebf38c93172452bd43e2560b42b56c4d13625e107

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/6568-730-0x0000000000400000-0x0000000000892000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5284b178d04d28994c7d80ae9664c8d5
SHA1 cfcfaf9ad8c82f2bc5439846734bf5100ddadac5
SHA256 8b4f8da2991a12a017787e187d50694cb8c42c9794f2d612dde335cb16ce5ec7
SHA512 e6f8aff7d4fae8f07b3b6b6958e65321253c803a20bf5fe143f22fea474ed041dffd17b52aa1a345858c4c6ab64aca02af42f9cc5e2a0743ce5fa6b4eb77ef26

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000055

MD5 b3ba9decc3bb52ed5cca8158e05928a9
SHA1 19d045a3fbccbf788a29a4dba443d9ccf5a12fb0
SHA256 8bd1b2afcbe2fa046b0937197f1b2f393ef821ff89331f99754b9006f0114df4
SHA512 86a86d370e96fa29c0c1d12991c2287936b400830869ff7b5abe4de6f32db2df782b626d724496cd6de27f8cbd32101ba34cbcd4c650ef11afa26bc048d68529

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58585c.TMP

MD5 b5c00f786dc49f5b7cebda44bb148bb7
SHA1 9518dcb18e157e535e734c96b646832ca536b5ff
SHA256 2f4e0c59cd250a7c3af033ddef504f0a5d4fdd3fa1b8585c5cfa8b9ac58e994c
SHA512 b569446dd19e4a36fae575c3c6a90c5cf54ae3a414a1de9fdd54168b04b2d12e74341bb57c017703e85d00cc5ed23c84e36a26fca4e861c7de2154807981ba71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 00fdbfb4a4cb2780cb8aba55f8e07559
SHA1 e43d6411a7496c230cdd85cf306dcdf3d5803c6f
SHA256 53c871bdfaedc529abc0a11b22ea0dbe64109ef9d5161b0a51384f64355dbd20
SHA512 e854b4f72c333e864d5c46acde8a5c8694ebb10500b67ce5933ecb813b87cedbe87ac86f09173cd4e8d7abf9d11204b5fb224e48c1146f26d0723c14b9a2f2f3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

MD5 4a8e1e6abe9358705420e7a0863ff104
SHA1 d6173f385c7d6698d7272807a080483c23df53f9
SHA256 fa84c467cbbfe515c56c06739cc1bb8dc077bfde1d19d29b314bbb0a8cf85801
SHA512 f36f6777fec1da4c73433afeaf653e77cc8d691e422595e2025cf001d42d9e08622751104ad931768360117ef6c2d1b312bb28b9544996d953153cf2c9a90cff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 7353e64fff7002db8f8e6efbf2fd839b
SHA1 614083398005b107ebbc2f0b86d941c457f4f205
SHA256 08e863c52de8936ee9f5e6330c6c4b730f9cde37ee04decf42701cbb7e71f491
SHA512 d319fad09fef945708e22c92a7e2b11386a2e6eb8dc0c1b2890e7bbecb3dc3377cf92dbe6e44507e9886db6169a1512fa8f035cf42631819ec5c814947ed6569

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 83448bff2881daf159b2fcf73359043a
SHA1 304aec4dc6e73a1fd02e765cc4fc3f0ea42b9c43
SHA256 5c52d87a3bed46d687f8759c9a4046e617a486b17eda89b01a0097e7e83a9dd5
SHA512 82772eaeb56f96e8dcf7a412cef62cced819ff7e20e85de29c416140adc82fc4b1a328230a938f7fbfbe4794866b92da670004eefd74f80e008d8b49a73c618c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 48517b961a9c11fd997e09587d90d017
SHA1 731ac50e6d69bd88f3859df93e47f9a8d0306a8c
SHA256 84c0723092762cb9691d72a28d586f5fed40297310d196090304cbf3af21287c
SHA512 99948d806faa663414dd76ff719bf0b85e2b2b457e21a5f768888b352892e0c26e993f22c426e22354ea6a1fdeba184612f30c7cbaf721d41bd66f38f7a90183

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a60605039a9d0987e0ac849ca24f8e5c
SHA1 c640a91ea4495a4b2304188592fd6e91084e482b
SHA256 4941d3e5a1e39a409f45da7ebbc772c968031f5e57dc233f0569017b6066f9da
SHA512 a3e89c1a7272fe93421a6252bebec638c7621efd91aee0697c228c32d30e523de4cdcae3ca3a9da023ec72f64b83b97098ae8e4b877ff9acc8498756b8d43ca5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 5b0193e501fffb82dfe10af5f91c3da8
SHA1 47004af98f01962523fe14114760329b0d3d270b
SHA256 56b50c365d6ffbb2fa38728ae0f0a9081203acaf169fe7b1ed1eabe1ddbde181
SHA512 a09651404915fa50aac4af550ed7431613350e35d9f1aca78c97e9fd94263c7a8bba66250c448b435b78807d6945efda8396dcf794250218c8bf6da5e53eeecd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 0b682cc72d2a4593a123326b1f41f19b
SHA1 e31d37915837e3d2e528e993f58e1d21c69ac0ce
SHA256 82b231bebce2cb08faa3a311c30cc94a457cab52331878da22bef08100a210aa
SHA512 91b61330b4c9cbc7ca7e154db800d36c0a99a6b0948985ad083b0a5987e7f4f64c914392496b47fc4f55ee9e29a5697a40e4f6859f9821023148b841515686fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58bdae.TMP

MD5 0102f91fd47f89935a9e1aa400e79063
SHA1 1e7ea22f49dfc5407115e7c78df9fd227deb5301
SHA256 d754f07e9d70d8d4192450f3174efae3db35db94a8c5ddc1f81d4c7e178a8438
SHA512 63c0fd93bf9529748038e1e678f17e2b2fa2ee95edf36ae3f9ecc0ad63aa89ec70e4fbe56413beeaa3fedc8812507e425587a5435dd46ca33d3f61181cd17ac6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 ac269e52c3dc37c07319fd4a1eaa35ef
SHA1 48525d573738c4aeeb83e2d95b19f205b55f3737
SHA256 34e27153fb715be91c4ae508d63d2e04b24f102f6edc734a57a610cb58e7b7f2
SHA512 40f72a256f091390676ba00fcd01db9d317a8fa932992abaa1e8024b70981898b767723b7327425d7d5ffaef93bfef9bff4cc8cd5489a0b519a8f2fdece55191

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a758de16c454ca9375d8011350b73ff6
SHA1 0569bbaddc2f717f092cf0fa679de1257d0e55ca
SHA256 101937a2102d61c0f1e2164af11ae6ab786cce34da4b57777a41776b86f7f065
SHA512 78b7ba6f6b19f54cc1b4136cda007e678280bcaac94300e146f7a2f09e8c1ffaec282afa1a4495ed178b867df8bd9c03f2cf6855fa4994ffe80aa79d74e29616

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\7d2117e0-5c33-44a9-b340-6f72122396a1\index-dir\the-real-index~RFe58ff1c.TMP

MD5 de850f42202d8d554069303feb9df4bf
SHA1 e3a4a87f9665ada2bfa19d501325e0e4c416add5
SHA256 5fe028467d2e4e69a52adea643ae50be5508d892bbdf9c71cf97b8976f86558f
SHA512 98e62bb28a8c59be75a5830022c3e3861e6f3f5ed386024654203a08cb37aa58e8b20fe66c5ed54c744e1f3810d335d1c40a5d738af9ea8628dedf2f19acdc37

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\7d2117e0-5c33-44a9-b340-6f72122396a1\index-dir\the-real-index

MD5 5bb9ee68d0630d57e71dc442733b7c1f
SHA1 e2b286ecc7e41676c7c43889d83c718397ac697b
SHA256 ab64f39a68873e644660eeb4ec85c1b6d720628c9b50b52948bd5263608b87fa
SHA512 58d5272059e5dda1fdb8eb58d497ab2755b7b9be9d1bf47a14c468015423eaf42acc3b0f2341965e9f6a53117e0ab24a2665a481ceded89afe498fa5c209600c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

MD5 7dc066fa29f679680268b35e4d05fcef
SHA1 94ddb711a21448e5dd2c94ed579164a002fbdd11
SHA256 435b619b01d474cfa4f1eb5d480f83d7b9e3f1957228cbe7ea5da3ccf2be4fc4
SHA512 03a06d213220398e26b7480a9c9044e6997f311b8d6b3faeb385d25dc90188c5fc0ebaf9b6d55c3c969663e85007b0d89513d7af254706d0b06ab790af75d159

memory/5032-2223-0x0000000000BB0000-0x0000000000CB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 29c476ab7da02504b998c0f58cecf991
SHA1 a631bdced62d69689f1fd9400cd9c069beec9df7
SHA256 c0c24c46e29d600916c1c96d662792b368650990054f0ea6fb5361c3a1c535dd
SHA512 d87d00d583f6b393d8e743317ce2f52726624c1681c37cc3fe8a05fea48e0b16914244fde7e452a9664d9a0a6bf0ec59007d430dcfd36bf0209ccdcbe756bea5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 359d12209bf3dc9176a6a860d4ef3448
SHA1 12c7f202465849f15069bb34779af46eb25417c6
SHA256 79b45840d03ab11d76e112f60e2d74d976fd3b99b354d6fb90432015b0598ce2
SHA512 bb808d2416ca7c44ebfb238b81b0dce99eb3ffe8f13a0fb5caf7fb6e9586a07883e6e148556c35cc8f6a3dad2bfd998fee254c5cad57d2e19aeb4d31d1000c3b

memory/1972-2251-0x0000000000D20000-0x0000000000D36000-memory.dmp

memory/1384-2254-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 133696c9bddf12fe1fcffa45d733dfa1
SHA1 8d7d0a87babdb8a1e7afdea8488c4433205f39a2
SHA256 1f6722d549ec5c0f6e4de626c36e47799972ba5a2d22225368aa64662a5e4ade
SHA512 ceeb48f03de7113bef5fee4ef910c041df64a1a98aeb3a0ccb4516199be74e79d49e8cac897eadd7cbe9ad15b112698602de4dc478c4513ec9d9d10077d00acc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 ae6e7ce5d2cad99a9c6d199990c72b7a
SHA1 1809ebc66c9f8b41e48c29d767e18a8a6cbaf326
SHA256 66ca4c6d49f56f93a5c990f123f43b4ca52f77e7fd728b341e1a0d1002ac90a0
SHA512 6209de45df40368e1dff1b9bcbb50f70b4a7c4510a483728eb0027add81c2e260790693add1ec568021c7c52cc0ab8bc1102570ba4a7eef8b6cfd6b03d213ffd