Malware Analysis Report

2025-01-02 03:50

Sample ID 231213-gbp6fsggam
Target 9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35
SHA256 9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35
Tags
dcrat djvu lumma privateloader risepro smokeloader pub1 backdoor paypal collection discovery infostealer loader persistence phishing ransomware rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35

Threat Level: Known bad

The file 9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35 was found to be: Known bad.

Malicious Activity Summary

dcrat djvu lumma privateloader risepro smokeloader pub1 backdoor paypal collection discovery infostealer loader persistence phishing ransomware rat spyware stealer trojan

Detected Djvu ransomware

SmokeLoader

RisePro

Djvu Ransomware

Detect Lumma Stealer payload V4

Lumma Stealer

DcRat

PrivateLoader

Downloads MZ/PE file

Reads user/profile data of web browsers

Drops startup file

Deletes itself

Reads user/profile data of local email clients

Checks computer location settings

Executes dropped EXE

Modifies file permissions

Checks installed software on the system

Looks up external IP address via web service

Adds Run key to start application

Accesses Microsoft Outlook profiles

AutoIT Executable

Drops file in System32 directory

Detected potential entity reuse from brand paypal.

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

outlook_office_path

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Checks processor information in registry

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-13 05:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-13 05:38

Reported

2023-12-13 05:40

Platform

win10v2004-20231127-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ae32c46a-408f-440b-ba92-443fb487bad9\\7DD.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\7DD.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Lumma Stealer

stealer lumma

PrivateLoader

loader privateloader

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7DD.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PR8616.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PR8616.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PR8616.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PR8616.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PR8616.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ae32c46a-408f-440b-ba92-443fb487bad9\\7DD.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\7DD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1470.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ca3lM75.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected potential entity reuse from brand paypal.

phishing paypal

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PR8616.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PR8616.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PR8616.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PR8616.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\EF13.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\gucdjge N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\EF13.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\EF13.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\gucdjge N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\gucdjge N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PR8616.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PR8616.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4468 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe
PID 4468 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe
PID 4468 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe
PID 4468 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe
PID 4468 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe
PID 4468 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe
PID 3272 wrote to memory of 4600 N/A N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe
PID 3272 wrote to memory of 4600 N/A N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe
PID 3272 wrote to memory of 4600 N/A N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe
PID 3272 wrote to memory of 416 N/A N/A C:\Windows\system32\cmd.exe
PID 3272 wrote to memory of 416 N/A N/A C:\Windows\system32\cmd.exe
PID 416 wrote to memory of 1280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 416 wrote to memory of 1280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4600 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe C:\Users\Admin\AppData\Local\Temp\EF13.exe
PID 4600 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe C:\Users\Admin\AppData\Local\Temp\EF13.exe
PID 4600 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe C:\Users\Admin\AppData\Local\Temp\EF13.exe
PID 4600 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe C:\Users\Admin\AppData\Local\Temp\EF13.exe
PID 4600 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe C:\Users\Admin\AppData\Local\Temp\EF13.exe
PID 4600 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\EF13.exe C:\Users\Admin\AppData\Local\Temp\EF13.exe
PID 3272 wrote to memory of 4560 N/A N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 3272 wrote to memory of 4560 N/A N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 3272 wrote to memory of 4560 N/A N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 4560 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 4560 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 4560 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 4560 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 4560 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 4560 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 4560 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 4560 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 4560 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 4560 wrote to memory of 3144 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 3144 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Windows\SysWOW64\icacls.exe
PID 3144 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Windows\SysWOW64\icacls.exe
PID 3144 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Windows\SysWOW64\icacls.exe
PID 3144 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 3144 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 3144 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 3272 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\Temp\1470.exe
PID 3272 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\Temp\1470.exe
PID 3272 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\Temp\1470.exe
PID 1616 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\1470.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ca3lM75.exe
PID 1616 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\1470.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ca3lM75.exe
PID 1616 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\1470.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ca3lM75.exe
PID 1900 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ca3lM75.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1To94YF2.exe
PID 1900 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ca3lM75.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1To94YF2.exe
PID 1900 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ca3lM75.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1To94YF2.exe
PID 3864 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 3864 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 3864 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 3864 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 3864 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 3864 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 3864 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 3864 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 3864 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 3864 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\7DD.exe C:\Users\Admin\AppData\Local\Temp\7DD.exe
PID 1924 wrote to memory of 4668 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 4668 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4668 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4668 wrote to memory of 1652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 2120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1924 wrote to memory of 2120 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2120 wrote to memory of 1696 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PR8616.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PR8616.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe

"C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe"

C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe

"C:\Users\Admin\AppData\Local\Temp\9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35.exe"

C:\Users\Admin\AppData\Local\Temp\EF13.exe

C:\Users\Admin\AppData\Local\Temp\EF13.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F06C.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\EF13.exe

C:\Users\Admin\AppData\Local\Temp\EF13.exe

C:\Users\Admin\AppData\Local\Temp\7DD.exe

C:\Users\Admin\AppData\Local\Temp\7DD.exe

C:\Users\Admin\AppData\Local\Temp\7DD.exe

C:\Users\Admin\AppData\Local\Temp\7DD.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\ae32c46a-408f-440b-ba92-443fb487bad9" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\7DD.exe

"C:\Users\Admin\AppData\Local\Temp\7DD.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1470.exe

C:\Users\Admin\AppData\Local\Temp\1470.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ca3lM75.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ca3lM75.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1To94YF2.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1To94YF2.exe

C:\Users\Admin\AppData\Local\Temp\7DD.exe

"C:\Users\Admin\AppData\Local\Temp\7DD.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1992 -ip 1992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffd8dd746f8,0x7ffd8dd74708,0x7ffd8dd74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd8dd746f8,0x7ffd8dd74708,0x7ffd8dd74718

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd8dd746f8,0x7ffd8dd74708,0x7ffd8dd74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd8dd746f8,0x7ffd8dd74708,0x7ffd8dd74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd8dd746f8,0x7ffd8dd74708,0x7ffd8dd74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd8dd746f8,0x7ffd8dd74708,0x7ffd8dd74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffd8dd746f8,0x7ffd8dd74708,0x7ffd8dd74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd8dd746f8,0x7ffd8dd74708,0x7ffd8dd74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ffd8dd746f8,0x7ffd8dd74708,0x7ffd8dd74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,6416093471888615068,2397192538690831067,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,6416093471888615068,2397192538690831067,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,9848842407201901460,18123915721562923441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,16795344000278021468,7760274516861956801,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,16795344000278021468,7760274516861956801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,9848842407201901460,18123915721562923441,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PR8616.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PR8616.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,2300100849802714671,7517593101365197699,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x78,0x170,0x7ffd8dd746f8,0x7ffd8dd74708,0x7ffd8dd74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,5550792225734076753,1685124743080624193,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,2300100849802714671,7517593101365197699,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,5550792225734076753,1685124743080624193,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,13311691850316208750,15429520729105742813,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,13311691850316208750,15429520729105742813,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,3763091579317280085,2886994263970768899,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2512 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6936 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7876 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7876 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4280 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 6176 -ip 6176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6176 -s 1820

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7mX2az42.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7mX2az42.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6800 -ip 6800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6800 -s 1028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7680 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2120,1338148167093771364,1370282563979347010,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7500 /prefetch:8

C:\Users\Admin\AppData\Roaming\gucdjge

C:\Users\Admin\AppData\Roaming\gucdjge

C:\Users\Admin\AppData\Roaming\gucdjge

C:\Users\Admin\AppData\Roaming\gucdjge

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 galandskiyher5.com udp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 8.8.8.8:53 24.52.193.212.in-addr.arpa udp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 8.8.8.8:53 brusuax.com udp
KR 211.119.84.112:80 brusuax.com tcp
US 8.8.8.8:53 112.84.119.211.in-addr.arpa udp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 172.67.139.220:443 api.2ip.ua tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 212.193.52.24:80 galandskiyher5.com tcp
RU 109.107.182.45:80 109.107.182.45 tcp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
RU 212.193.52.24:80 galandskiyher5.com tcp
US 8.8.8.8:53 45.182.107.109.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 store.steampowered.com udp
US 8.8.8.8:53 accounts.google.com udp
US 92.123.241.50:443 store.steampowered.com tcp
US 8.8.8.8:53 www.facebook.com udp
BE 64.233.167.84:443 accounts.google.com tcp
US 8.8.8.8:53 1.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 50.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 84.167.233.64.in-addr.arpa udp
IE 163.70.151.35:443 www.facebook.com tcp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 twitter.com udp
FR 216.58.204.78:443 www.youtube.com tcp
US 104.244.42.1:443 twitter.com tcp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 www.epicgames.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
US 3.88.245.197:443 www.epicgames.com tcp
US 8.8.8.8:53 www.paypal.com udp
US 151.101.1.21:443 www.paypal.com tcp
US 193.233.132.51:50500 tcp
BE 64.233.167.84:443 accounts.google.com udp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 1.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 103.202.103.104.in-addr.arpa udp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 197.245.88.3.in-addr.arpa udp
US 8.8.8.8:53 51.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 www.paypalobjects.com udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 119.110.32.13.in-addr.arpa udp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
FR 216.58.204.78:443 www.youtube.com udp
US 8.8.8.8:53 i.ytimg.com udp
GB 172.217.169.86:443 i.ytimg.com tcp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 86.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 200.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
US 192.55.233.1:443 tcp
US 8.8.8.8:53 c.paypal.com udp
US 8.8.8.8:53 www.recaptcha.net udp
GB 142.250.200.3:443 www.recaptcha.net tcp
US 192.55.233.1:443 tcp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.1.35:443 t.paypal.com tcp
US 8.8.8.8:53 23.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 b.stats.paypal.com udp
US 64.4.245.84:443 b.stats.paypal.com tcp
US 8.8.8.8:53 dub.stats.paypal.com udp
US 64.4.245.84:443 dub.stats.paypal.com tcp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 c6.paypal.com udp
US 151.101.1.35:443 c6.paypal.com tcp
US 8.8.8.8:53 tracking.epicgames.com udp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 52.203.30.102:443 tracking.epicgames.com tcp
AT 13.32.110.72:443 static-assets-prod.unrealengine.com tcp
AT 13.32.110.72:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 api.x.com udp
US 8.8.8.8:53 abs.twimg.com udp
US 8.8.8.8:53 api.twitter.com udp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 video.twimg.com udp
US 172.64.150.242:443 api.x.com tcp
US 104.244.42.66:443 api.twitter.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 pbs.twimg.com udp
US 192.229.220.133:443 video.twimg.com tcp
US 8.8.8.8:53 t.co udp
US 192.229.233.50:443 pbs.twimg.com tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 84.245.4.64.in-addr.arpa udp
US 8.8.8.8:53 35.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 221.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 72.110.32.13.in-addr.arpa udp
US 104.244.42.197:443 t.co tcp
N/A 224.0.0.251:5353 udp
GB 142.250.200.3:443 www.recaptcha.net udp
US 8.8.8.8:53 242.150.64.172.in-addr.arpa udp
US 8.8.8.8:53 141.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 66.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 133.220.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.233.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 102.30.203.52.in-addr.arpa udp
US 8.8.8.8:53 soupinterestoe.fun udp
US 104.21.24.252:80 soupinterestoe.fun tcp
US 8.8.8.8:53 252.24.21.104.in-addr.arpa udp
US 8.8.8.8:53 dayfarrichjwclik.fun udp
US 172.67.174.181:80 dayfarrichjwclik.fun tcp
US 8.8.8.8:53 neighborhoodfeelsa.fun udp
US 172.67.143.130:80 neighborhoodfeelsa.fun tcp
US 8.8.8.8:53 www.google.com udp
FR 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 diagramfiremonkeyowwa.fun udp
US 104.21.18.224:80 diagramfiremonkeyowwa.fun tcp
US 8.8.8.8:53 ratefacilityframw.fun udp
US 104.21.74.182:80 ratefacilityframw.fun tcp
US 8.8.8.8:53 reviveincapablewew.pw udp
US 8.8.8.8:53 cakecoldsplurgrewe.pw udp
US 8.8.8.8:53 opposesicknessopw.pw udp
US 8.8.8.8:53 politefrightenpowoa.pw udp
US 8.8.8.8:53 181.174.67.172.in-addr.arpa udp
US 8.8.8.8:53 130.143.67.172.in-addr.arpa udp
US 8.8.8.8:53 68.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 224.18.21.104.in-addr.arpa udp
US 8.8.8.8:53 182.74.21.104.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
IE 163.70.147.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.147.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 35.147.70.163.in-addr.arpa udp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 login.steampowered.com udp
GB 104.103.202.103:443 login.steampowered.com tcp
US 8.8.8.8:53 sentry.io udp
US 35.186.247.156:443 sentry.io tcp
US 8.8.8.8:53 156.247.186.35.in-addr.arpa udp
US 8.8.8.8:53 api.steampowered.com udp
GB 104.103.202.103:443 api.steampowered.com tcp
FR 216.58.204.68:443 www.google.com udp
AT 13.32.110.72:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 talon-website-prod.ecosec.on.epicgames.com udp
US 104.18.41.136:443 talon-website-prod.ecosec.on.epicgames.com tcp
US 35.186.247.156:443 sentry.io udp
US 104.244.42.66:443 api.twitter.com tcp
US 104.244.42.66:443 api.twitter.com tcp
US 8.8.8.8:53 136.41.18.104.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 talon-service-prod.ecosec.on.epicgames.com udp
US 104.18.41.136:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 104.18.41.136:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 104.18.41.136:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 js.hcaptcha.com udp
US 104.19.219.90:443 js.hcaptcha.com tcp
US 8.8.8.8:53 90.219.19.104.in-addr.arpa udp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 8.8.8.8:53 api.hcaptcha.com udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
GB 142.250.178.14:443 youtube.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
FR 216.58.204.78:443 www.youtube.com udp
US 8.8.8.8:53 253.15.104.51.in-addr.arpa udp

Files

memory/4468-1-0x0000000000CA0000-0x0000000000DA0000-memory.dmp

memory/4468-2-0x0000000002640000-0x0000000002649000-memory.dmp

memory/1340-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1340-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3272-5-0x0000000003210000-0x0000000003226000-memory.dmp

memory/1340-7-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EF13.exe

MD5 e1db58927595887f3528ccd12a9b3139
SHA1 ddddbc9ba3112f0bdcbe0e6fa75bcfb74c68f1cb
SHA256 9ba8bae87a9665c5683c4f5111fccfe524ba8671180c8d6cc8a9bd20f2f30f35
SHA512 4809cd07c8847e2d3812f75a97526fc2f32703b3f8b3dc0b60b3335432e595031147a8245913ba731c2996acaa0a93aae255e29a729870eb9a4eee9710d9f6a7

C:\Users\Admin\AppData\Local\Temp\F06C.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/4600-22-0x0000000000920000-0x0000000000A20000-memory.dmp

memory/4088-24-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3272-25-0x0000000007870000-0x0000000007886000-memory.dmp

memory/4088-26-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7DD.exe

MD5 d6709cc2adb09d6ff003d52ece25c894
SHA1 1f5b110ab3549efac240ff309bbcb934c26a072a
SHA256 fb5c249e2a353691a022f786fabcdc80037824e1f018ddb01d2a5f68c62e2167
SHA512 9501a3818f7e478f546438582a654592bc2c541cdb7d1b54dfb931672a6da74b5e0c3b6a9ee5080dd604762bdb7be3222c931223acc7c79c51b3b06ea72e002d

memory/4560-34-0x0000000002430000-0x00000000024D0000-memory.dmp

memory/4560-35-0x00000000025D0000-0x00000000026EB000-memory.dmp

memory/3144-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3144-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3144-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3144-40-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3144-50-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1470.exe

MD5 ecb468882ee533e521a9df36ad3eacf1
SHA1 a1fea7ca6d1f65458a9f8464377d43f1f26bb947
SHA256 87a0bf17ab7b79d832c520aae117ea3cb6f141b84a7035099664ac8148a4626f
SHA512 1a157b18084c6e7d0cd4801d71080aba5971ddb02fdacefc05f11b28124c2fddb09bf1766f25d2d6c3b778bf66ebdc806b14c96bb6883041b5fad4e8623bade5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ca3lM75.exe

MD5 e01a2c4142fc339884e60b819b52ff9e
SHA1 f75821ea099c26b7b1e933787b2e0795fe70e89e
SHA256 ac29d44852bcc1f12d6fc777e6958705d40406ef36b91cf3426017845805bfba
SHA512 40d8e21da5b544b2782e8f1e1a3f458424b541a7474f7893f1c11ea1266fd0a1888b1d4e4868e9e7070ee1f5fee311cf4571bcc7cd86401186b4adba5c4679c5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1To94YF2.exe

MD5 589e67e5be95d38137707eab421a98f9
SHA1 d89e115d57920a0f037b34181ed824589609c302
SHA256 844c5a77852461e53bc1f57f5226ec0c0f124ce780c7467d0b5d9e88edb45e8c
SHA512 458b250cfcdeebb378fc198d1dc709daac6ed2c33d3f2f70d03dd4da32be45ef727b47512c791aba29c7b8aed4f0738371723bc8f7673097c5b6f858eab40c72

memory/3864-71-0x0000000002460000-0x0000000002502000-memory.dmp

memory/1992-74-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1992-75-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1992-77-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 16f2e3b53bcbb102e66ce976ddf51d21
SHA1 2d08df66868e7a63324fc49d8badcce608bd68e3
SHA256 735cfaa43a4815a1aef46276a32d628ce5b1b7a4f57b316e7d51abc762b92653
SHA512 bb567f8fa37c0b0a1447e247aef839c681a24e0861fcb2fc9ece89978cd6443cf2cd6d73b288b1cdd5ccd1851d3f10e2fcde896da8571e99102b1a9a14c9d524

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ef2ab50a3d368243b8203ac219278a5d
SHA1 2d154d63c4371354ff607656a4d94bc3734658a9
SHA256 2e2faf2873e0b8d58788da8603acdd772642a396fff661c4e32f8a581362cbdf
SHA512 4533997bf4070f99306337b8ff553691d4cf1d1b53401628524ad4dc9d29bd0536a3f2df4ecdd0a8afa81b7f917f40524c9a1898b566ee499a358abc5c84b27a

\??\pipe\LOCAL\crashpad_1004_GUARPZFPTLPZKLDT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2PR8616.exe

MD5 f8e7488fd4ced59d6eb387447bc37430
SHA1 560ed0a592273875ae66a93efd611f76a9da7ee7
SHA256 30d11b5bd1ed2f376bb2c6dd47299a54702bf9cfdfc0d32e5f50c1adf83ae347
SHA512 0e7445eb71a24e10c13a706189cc972d9d590bbd456f27b4008243161868fc6b0e86fd8fadf42f61502aa913f39e2a3fedb7de236b80a2bff05378b7ade6cdb2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d5da6a68e569268fa360aa86df1da691
SHA1 88620c7f144764aa0f7f16956ae92fcec3e15635
SHA256 b6e0b2fc73e32b89ff00e730be30cc4d9bee4cd7316f62d76250807300610b7f
SHA512 7e2e811070e949921474e5d76107a5b4ce27b0ae54c80f948d9147d655f3edac571266393a0b99f0c8bd900f560e8cafb05cb2a21194f9e9e3b77b63713aff18

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bc96ecb2b35d13512fc80c33c4fbd0b4
SHA1 e360e58fa6eba698482d78d8b6b91473d35c98e8
SHA256 ac271596e1f1df2848f0c5ac04f1968e802615611bf5c11ba73acfd8cb6075ca
SHA512 4d5140272bd6db3c860585b51c19f068b7d99acfbec3a7de141daa6911a56b9cf68efd802aa7e5ef177aa7fc5d9a24d9855800723a157adbbacafddb238b1faf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fae532313b86d5299fcc9e4dcc909590
SHA1 697ef446f9b62b987cd2e98496911a9b2cc12cd3
SHA256 803850f2b439ed0139601ea748c1f2b93353fec2a9a9efebb63460618802d6d4
SHA512 07616f0d6eb1b7fdddd279d00a1c17b2f0e7b2e8b70d4cce57cf1997542b910d99d9f100d4b513d3f74833eb3e3525b25410322eec12d5ebb44efd8049c941a3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8b3a2a187fb05ca2e41e7b4ce6e9aff0
SHA1 3c931b61d8e5bffce81c1c95bf761ee7621daf9f
SHA256 5f3d00869d7f5a8d98b8e62e1f8fcf79fe21877535f3faf975d7fbcd9f29c130
SHA512 000359146b87cdf9f432acc25299ed05f6de53912e38f972f4e2002c8075cb10a75209dc4ee71912578095976482dbe9b2f379c290a9b005bccf27a6ecb6bfd2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0013d549efc9f4ee70e7fc49da8eac12
SHA1 6cd8da38a709af62dbc739c39e31d1742b5c8868
SHA256 e286d36fd3b1ddeb83e7e2847631e5308bf3769e9032f6c5e0596e09563937ca
SHA512 498158b366658d338303e26549688bc7f9bce29f7e3083f3ab97c2e4ed9e1695b9cead929dca5eb9e808d70c43045a258c00355421fda65129d0bb184b90f921

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e82c55cefd424b2dc19b22540124a9d9
SHA1 cfb54b32a46e8a9dab3374edbbb56272ca6ff2a7
SHA256 c7921a8e160fa1c72488a64b6193a1ffa14e423d6b94414abe19b88aa07c6264
SHA512 3fe72e76388a0cf5aca2811865c6ea0ad3b00d9ffc4a114a758dd4187466be14d66a92fc66e34dd424167614e0527b27c0237c781e6d6c5087d8ff20677061e0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 137e24d7afd90068bbc2ea166bdb058c
SHA1 503544674913da9f28bd448e4058bbf86a73e644
SHA256 816120ab623944eed660787b9986c24ac462be30fc2d612bb164d043c1457521
SHA512 7125ac809eda48074f240bffa35555af24d6abbab311a7d41880caa39f808317b2ec2276c1f5368faa194e9d7a29655db97867449a9d9debdd9ad9460d5ec39a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bd2c937a0bd6f6fef431c45c9f9f70a6
SHA1 9cc0d2f94e50c87c6544e981756f56da49683804
SHA256 fbe63ff4383d29a5608badaa34b90841bd80177c7435a12af1747c8437bb46d8
SHA512 594185fea4541939dca53237f39952e8ee96c58a31009b937afcc998e34fbe0eafe9d2ac9061e3145e89b503c815648648a68bb20babaa97f324dc19f2fdd862

C:\Users\Admin\AppData\Local\Temp\posterBoxu1jg7T94ASzNE\QdX9ITDLyCRBWeb Data

MD5 15b15858232eb73939154fa51070f7d9
SHA1 c5d442be8afd48c12f3e10324d74c274ebad25d8
SHA256 415b5d95ff3e636716deaa385106694fcc257f82be4fe831fdaed420bba50cf2
SHA512 8477c2a94ecbecff9d79d3f73713d568ab29260cd51397f54939629531aa84eeaaffc742bef744da071718b597b15e8870c547cf1dfeb122686bb9e59a7dfd86

C:\Users\Admin\AppData\Local\Temp\posterBoxu1jg7T94ASzNE\ZunTSaNJLBVfWeb Data

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\grandUIAu1jg7T94ASzNE\information.txt

MD5 df3ae2dbdbafe7f4eb0fbd8cb7b993d8
SHA1 ed3410f4271a4af92168cba045d2218ed4bb9306
SHA256 4e2bdcf3461b9c798ebddc008f1425ede36bf1e60b1b379e35c7b44d8c238193
SHA512 56e902f1e671ff2d07ddd979ee159407dce8995f05d5dd936dc5dd8e86d6a8fa5bf2adc7a06e0c6708be891486f507c1a6f80b2882ddd6da00b821feff63e08f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 04c3558f9276d9c3d7769ead90acb21b
SHA1 1135f4eba6629e2775302537d8615d4267e89908
SHA256 aa759c4ad98f812da40bd00524e00ce18da098e780afa7aa5bd79b77e735ae4a
SHA512 cdd3a74da2ee35dde6b9b200dd765a5f3bc96da53e2897d0cd21f78dd4ee66399dc909d3e70a4ac5125503822bbe2854ed5b590a57c0776894e156dad7c619ed

memory/6800-546-0x0000000000930000-0x0000000000A30000-memory.dmp

memory/6800-547-0x00000000024F0000-0x000000000256C000-memory.dmp

memory/6800-553-0x0000000000400000-0x0000000000892000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

MD5 923a543cc619ea568f91b723d9fb1ef0
SHA1 6f4ade25559645c741d7327c6e16521e43d7e1f9
SHA256 bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd
SHA512 a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

memory/6800-599-0x0000000000400000-0x0000000000892000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 879c7e76c9513b1435d386a4f1472303
SHA1 2f9ea28dc94bfb83d9f3268ccc665129c3d8823d
SHA256 7d16a8d3c24dee6f14d5e33070ba00cd0662c317a3416b20d5f298b68c8d4343
SHA512 4ef80c84748985831794c0c1649ac430ae3b69aa44993628c0d9ee528be95191d845ac0afaaea8614c14a56871856ba824e0a91190f69f526ea811d0054d59b0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 bf38e67347aea6d520cda5fde321a1e5
SHA1 0e7a8def4c923201d76b41dfa9918bb1052827ea
SHA256 0f0744f36e30e64949c41835aa5666f25c1ab4f3636d9247b8350fd8ad4f8025
SHA512 f62478dd4e38c6bef2bfc24f46caa03840613711e2b6fda2aad707df5cbd33b25af4fc3954521e203b981c4a10e5c8fd2520cabc16cdad858eed819b45a6f366

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

MD5 b3ba9decc3bb52ed5cca8158e05928a9
SHA1 19d045a3fbccbf788a29a4dba443d9ccf5a12fb0
SHA256 8bd1b2afcbe2fa046b0937197f1b2f393ef821ff89331f99754b9006f0114df4
SHA512 86a86d370e96fa29c0c1d12991c2287936b400830869ff7b5abe4de6f32db2df782b626d724496cd6de27f8cbd32101ba34cbcd4c650ef11afa26bc048d68529

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

MD5 909324d9c20060e3e73a7b5ff1f19dd8
SHA1 feea7790740db1e87419c8f5920859ea0234b76b
SHA256 dfc749d2afefe484d9aa9f8f06d461ad104a0ca9b75b46abfaaddda64a5e9278
SHA512 b64d2dce1f9a185fbb8a32adc1ff402d8045d379600bf3f9154bbde18303610f18af9fce258442db1e621ecf10b77aafe99cffedfcbe2a1490056c50cc42d0f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000031

MD5 d55250dc737ef207ba326220fff903d1
SHA1 cbdc4af13a2ca8219d5c0b13d2c091a4234347c6
SHA256 d3e913618a52fe57ab4320e62a5ace58a699d6bce8187164e198abe3279726fd
SHA512 13adff61e2cfa25dc535eba9d63209b7e7e9bd29fc4d6c868b057df7f680aa66ef5783a0e82a8367185debf7f6fe5bae89adc0770daff5317d2e16db5ad3ab39

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0ac259c4f162bd43564775eff4f2c0c4
SHA1 575f23492bdee169a10a202ed49dc53b067a8ce1
SHA256 d8ca798cad77b9679d7f521b459ff1fe78cdccdb79fa3b716d9e0e81576fda76
SHA512 8c40fed53429eb92673c6a42a060d26d7e8dcc4b1bf17c3c4529e4e9af04453a1d3b3878e4bd874686529ce9652ab5c89ccdd31b62e72255290ff0e32b0840b8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5878a6.TMP

MD5 ed8190877f30950ff120bd9f7a621410
SHA1 3a13b8ab385b763920a0a60b6b738632d7a1fdde
SHA256 459af229641ae2a31305ee05403562bf40392352a71a57426945714667e55530
SHA512 31602eec789459bc060d3b06c37e35f59660fad879a4cf16ed0cf95f44324c84c295ee786d1ad383355c1d2982e71de8fc511256f1d1fd4ba23c5cc1fdd6e24e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fe98b2996beb858c705d3606acfa8183
SHA1 b4f2d3a27910730bb43021d6a0d37c00ba5c29dd
SHA256 a229114b09a580feb8a7dccd9a7ae338631c1748eecf8cf4bb832ec2e859d7b9
SHA512 b47752d639574a3131b30ebcd7e106404bf56bdfc9521d4e2a8e61f1ff901194a7c921c81492bce8cc3e833b85fa6fe6ab2d526e222b6f376af8c6446ebd18d3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

MD5 ffa98f35e93bee0ef7c9ec796cecb7e7
SHA1 b54d14dd72466318796a2a69df8052bcfc73b7b7
SHA256 e1905aeb1f28dcf4edde44cee246baf723082ca4b5993bdb37c36be8058d73ce
SHA512 b932cf8acc5997b4923a0cc626530b699573a197be78ba7dd248b3175c366b1b63c2c4e92e9f8e3297b4c203773967e24d82be2bd4f156db32fea079599e6768

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 5a23287e17020328644eeb777879fb7d
SHA1 9a9f3fa3ee71390774622e6cba700ad496257a03
SHA256 1755d56e94c6f93ea0f05cfafa0f97dd4cbe7e99d5404fccf417211e8e3e0b7c
SHA512 33e407030c719767a9d12796821974ff3529746967d52888e8c4b44de6278ca59c945adc871433edf1449eed1153ff6bebd23578f2f71f05c85bc2f0eee7729d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 f349000ca3f25416aba6e73cd88f7fd3
SHA1 9a543b8e8af490253c5ce3a4092998104bbbb072
SHA256 97fd4dd1b617d6b9ee381d3fbc44ff041e99302690e0eb5d5cdea0605d8d235c
SHA512 cd25c7c8e3f60d5dd32c56fbc480ca4dd572ac39f6eac14fa60799a6ad131fe9f225c4c8bc69b95198a9926c9e8c23a1fb6e3fe89924fb756ddf432e2649d215

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt.tmp

MD5 f9efbc0a1a3e6f0b296e08c8dd39cd64
SHA1 abdc090fe539ed15271e408f057a445fb9beef7b
SHA256 50096eba3160c15840f56fe321329b2b7bd422d76de1e4a9092cf83dbad8ac51
SHA512 416ed14f65cc740a2469cdce7a4723ec59954122ddb338ca54146de0bffedba6533312498b89e6147f9f13848bfdcee0460587623e5e50f90bae8fb1cee93830

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 db0db5b79003a5f1d675e22c6181588d
SHA1 169059ef7a707b9cfbda45d61fda3c140ac38b14
SHA256 9ac09123071930efd0f8bba69c3cdefe2a2aaa6ca90cdcaca04fc6f6125a518a
SHA512 1307e865456cb720194512b9464ebf7ad06726b02ee3606fa58f9adc9a147963e3e6d2d1b55625a84e95286317d3a7698bb6cdafb49a801f64b45ce618a07a17

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 145a4bd531bfb7ca8f483a36e1c8263e
SHA1 f2db238ca8550d04392ee0a7c1d04c0053658367
SHA256 746146c1a6a85c22f403e95eba43e2053e7e10d4f7fd7d3821c88f9b5a7ca37c
SHA512 0e1e379f286d7f72e569fd114a831be11731211aaa97b44170832711a8dc0f9dfad0a6a034050f8b893c8db31e03a4fda10c8165f8c0204c9d2896150a318f6c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 fade4a345ba7cf8e0a3d13d44f736637
SHA1 3cd2a91ca71f2800385c2b1f9e044ff489176763
SHA256 c3409a95bce308fa8332158e75c0a06c8d5485a0e7ad5ac88125d86d26dd2acf
SHA512 68c135eabdbc7c54b433a07d945e8b0fccdbd8d9826c18c797e14d5b051b1b575069180195492c3e392e446c0ae3e9886b4a3ec1e9b3632b31fbef89d038685d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 a06cabfaff91ddd22428056626193f24
SHA1 825db76c5ec4d7d78bf3ffaf2343daa1c65e961f
SHA256 8ac7113568d4b8d79b7ac556e04100378881b22d4a4e7fb55006d5e31127159e
SHA512 79786337026b7c0e9286f7e53dc0b38d7f0a1b436702ba03081c918267d7b6be9c263ec9bcc464e6aacc60fbffe8684976761ef1bf1bdb7e05d494dad33db7c6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58f2b8.TMP

MD5 65071ab6f24a5eabf803c54a77433177
SHA1 8cedd28cef5d7f4ff27dc40f2cf39ea07acf5ed6
SHA256 49b73ba88f33f3453718923ecf684dcd4a0c330f996799b493998af14b2da8fc
SHA512 0e5c36b818868d63fe1db759e46dc94ee2a96b9eda84827cafebd8709bbc3b2ccc2f52ecfc352130e4947985a5413203dbd0a3ca2f1a7e4489095ce582857cfa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 50727789b0e962937710739168b3089c
SHA1 755716bd1bd93eeddb0df0047df7a6f0ff1dec6d
SHA256 31e1cfa4453326aa89d4a3389b1657a30d21c8d55f2d4fb089add96c2da75f01
SHA512 1b52f78bcde098e840ef601b00a6f6467774530f5b21a4e54c29b6352ac17de79a7840f35e17d2ff0965f8de55e339165d2dc778d64e7506fdf0ac4a46675548

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\313cad57-64e9-4bd2-a0e1-39060ddbc249\index-dir\the-real-index~RFe591488.TMP

MD5 bb247aa39a4c9b789a6fb24b38b55cad
SHA1 0ddad99e34f5b660b03b6278cc801cb92164bdfb
SHA256 44398e1f93e5acf7336da9aeb7e930b6afee2747281b1c466b8b5a9aa3e3269c
SHA512 fc91b538c824a8ab17e912aca6b69493ba2782921a8c4ae1ede64bdd262bcf5e41be188d1a2196fda35bb82b8fe39bf388f3adf1fcc7445a42ab9d7c298f2f01

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\313cad57-64e9-4bd2-a0e1-39060ddbc249\index-dir\the-real-index

MD5 8875a960b95627cb241e2fca32844932
SHA1 e0554a198e27da79d29e6a2324b951f51aea939e
SHA256 965b6248b5b4789087f8d93ef9dffae8ab8d2b1ee09f940e8b378a9d138b4cb9
SHA512 6703c574603f74ed62a9908486a4fd22acd066098d30b2f07395cc6fe6a9102e07a18463800ca1b0224187d97e73a5e395ebda10090390b479f4ba5244c4ef66

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

MD5 480b5a8c8314a99ae08d04f418d6d8df
SHA1 d3dd7b0bfa28a5a7cbb4229d021a41468f3e5de2
SHA256 477cd5c4fd64389ba7101bf71b88552cb8dac439350d8334fabc920d2befe142
SHA512 d6b17c592ff09f954def99763bb7bec86665e374b2b40c1dfd55bd694859814b4b4344ffc77b989062b3fe6206c2e82333414514b22da205983b1e8c50618ad9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5049b791567301b6fdf147f43ab92e61
SHA1 86d4bf745cd832f8554350de5efac2952c5abb74
SHA256 20987044cedd4a06de919ae17b6e420c75d15a9e6787b09027ff9dbe041f7599
SHA512 229da8ca6e54ba6ca870a0a4d81d48e6cd1b3afd0534bdb9073f0dedba7f6ff4b3eedd0947787c6138c76fdd11b45f7e7a14d7a0e24efddcf6521f646aad7ea3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 58f9457599ab31d91e17a4b9e949eee5
SHA1 b3caba40f0e364da0a80b704220fb43153133042
SHA256 4eccd3ea676b8e301551bd02f28ff78f92793f88f6a4fd4f7ac9346907e84ba5
SHA512 a5e29554bc7573d1599ea3e51e0c0bcd8865df95fb126f5f5bfb2467ceadba1da2aa11ab21ef0b01a245edf361ad1720983a7fd2cbbcade80dc64b91e02c041f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 c0fc43af3f6775b43c3508419a7d6731
SHA1 00b5a606d199e7ec0a33cf220bea315580545108
SHA256 c25708b04b813e9d5c9bfcacad96c27abac23ff4067fd474cdf66580f84eb8d2
SHA512 b253c29a6b6b56d5f9efb2fb0d5a97aa8a787213352cf452cb0ca5976486cc596dee06627bbd400fa93d4ca1622ebf1076690a5ddedbfa96b59bed3d4f52779a

memory/6348-2259-0x0000000000A60000-0x0000000000B60000-memory.dmp

memory/1080-2261-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1f275724-e5f9-4afe-a9e3-e97b6eaf90aa.tmp

MD5 873afee3119b877fec6a29dc875edd93
SHA1 8ab637f2114af539691e4ac8baaee5f04dda234a
SHA256 b7b889cacbc75d04eee4dd9b9c1aac78cb76efd526b7c62c1b0aa5c06d9c87d9
SHA512 7ebb430f0e75013594d4017063ad44c29d598a2dd0e1ffc3587c42fa37b6d8aaf7a5b60324471ebd63158e411300dc13ec0055269f5d876e052f863b917dfb11

memory/3272-2271-0x0000000001460000-0x0000000001476000-memory.dmp

memory/1080-2272-0x0000000000400000-0x0000000000409000-memory.dmp