Malware Analysis Report

2025-08-05 12:51

Sample ID 240509-at4y1agc8x
Target https://github.com/pankoza2-pl/salinewin.exe-Malware
Tags
bootkit evasion persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

Threat Level: Likely malicious

The file https://github.com/pankoza2-pl/salinewin.exe-Malware was found to be: Likely malicious.

Malicious Activity Summary

bootkit evasion persistence

Disables Task Manager via registry modification

Writes to the Master Boot Record (MBR)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies registry class

Modifies registry key

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates system info in registry

NTFS ADS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 00:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 00:31

Reported

2024-05-09 00:33

Platform

win11-20240426-en

Max time kernel

30s

Max time network

130s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/salinewin.exe-Malware

Signatures

Disables Task Manager via registry modification

evasion

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\salinewin.exe-Malware-main.zip:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3388 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 1796 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 1796 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3388 wrote to memory of 2664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/salinewin.exe-Malware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe9a173cb8,0x7ffe9a173cc8,0x7ffe9a173cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,13534170451410823631,3851117101882717249,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1728 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,13534170451410823631,3851117101882717249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,13534170451410823631,3851117101882717249,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13534170451410823631,3851117101882717249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13534170451410823631,3851117101882717249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,13534170451410823631,3851117101882717249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,13534170451410823631,3851117101882717249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13534170451410823631,3851117101882717249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,13534170451410823631,3851117101882717249,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin.exe

"C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f

C:\Windows\SysWOW64\reg.exe

REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004DC

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13534170451410823631,3851117101882717249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1972 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13534170451410823631,3851117101882717249,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13534170451410823631,3851117101882717249,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13534170451410823631,3851117101882717249,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,13534170451410823631,3851117101882717249,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 185.199.108.154:443 github.githubassets.com tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 185.199.108.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 185.199.108.154:443 github.githubassets.com tcp
US 140.82.114.21:443 collector.github.com tcp
US 140.82.114.21:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
N/A 224.0.0.251:5353 udp
GB 20.26.156.216:443 codeload.github.com tcp
GB 2.18.66.83:443 tcp
US 20.189.173.15:443 browser.pipe.aria.microsoft.com tcp
BE 2.17.196.137:443 www.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp
NL 52.111.243.29:443 tcp
BE 2.17.196.137:443 www.bing.com tcp
BE 2.17.196.137:443 www.bing.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7915c5c12c884cc2fa03af40f3d2e49d
SHA1 d48085f85761cde9c287b0b70a918c7ce8008629
SHA256 e79d4b86d8cabd981d719da7f55e0540831df7fa0f8df5b19c0671137406c3da
SHA512 4c71eb6836546d4cfdb39cd84b6c44687b2c2dee31e2e658d12f809225cbd495f20ce69030bff1d80468605a3523d23b6dea166975cedae25b02a75479c3f217

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9faad3e004614b187287bed750e56acc
SHA1 eeea3627a208df5a8cf627b0d39561167d272ac5
SHA256 64a60300c46447926ce44b48ce179d01eff3dba906b83b17e48db0c738ca38a9
SHA512 a7470fe359229c2932aa39417e1cd0dc47f351963cbb39f4026f3a2954e05e3238f3605e13c870c9fe24ae56a0d07e1a6943df0e891bdcd46fd9ae4b7a48ab90

\??\pipe\LOCAL\crashpad_3388_ZSUWVPPYLPFZFTLG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 25a894bf9f37adad693939148b206832
SHA1 278a250c3be9b8a8dbb32d0cfa22d99bb767540c
SHA256 0a5779231574e7fcd54f167a66ffb55710d73779f21d00e6b72ace4f45cbce28
SHA512 8b2b569bc6b823e4b1eca00240dfc7b75d7c351724f2d7fa07ec4157ac4ff2962cc367ea86b0d54e285ef77c7e019eacd91e60faba7b2f088966b865218b6274

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\Downloads\Unconfirmed 517540.crdownload

MD5 c8bf514a334eaa148cb3c6135c2fb394
SHA1 0e47a89c3729db5a6f195c6abb04e5129d788df8
SHA256 9127560918eaefe69f1959bcb7f7e13b7e3a7ac156b564922829faaec9b96f67
SHA512 9879a258f429ef492cf495dbddd4f2b9c9fbc061e325aa8ad870ed05049b7ad595b26d223d20c55fc99f403fc9b5d0235353d71bf5d9a39ee4462838feb247ff

C:\Users\Admin\Downloads\salinewin.exe-Malware-main.zip:Zone.Identifier

MD5 fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1 d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256 eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512 aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 69cf080f269cac1509c77aa76b64376b
SHA1 6bf285bf0930da954629db5915f5281ff91dcf82
SHA256 2bdac9ff607dfaebb5961d8cf9e5eed44fe63317cf533db5f7325c1afe5c10fa
SHA512 09315930bc3403f7ae287dd06a15fb5c74756fd34058b1a29d046b170d7f7e10a9ab1ffafac6dad3ef5d286ebb78ead570eccb9d8667fd39218498fcc792008f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 48e209b43657ef77464a932e2b5213c7
SHA1 d6b41d18ee6425249ee1c78ba5eb542b3e9556eb
SHA256 02cf5513ce1a2c4d0520aac03303ef3cc738a2411ac0bae1fd066e1a7cc91a93
SHA512 9a01998ac71e1603b49c02d283e2a79564595c010fb42b689e76532c14d6d558e968b24e9e46b1700f037c6ac2264a4563b2572db7d9c4c030013ee418d96caf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 dbc4168a2d859c7cb815066004a94176
SHA1 1723be206074bf2c386831f3b5e3c4e79ad5777d
SHA256 3dc7d5855f49c09ba78cb5c86af3f8b3de8cf796da33355ccfed884e858c63e1
SHA512 ac14fe2516c4263d9f18288105831a232cb1189455d7845cad9c5ea47a5e55525dc8b50aa35fc92e0469dd917c68acfd802d577d24f6e13c0e76d503a7f1cf5d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 beb633fe66cdcee142ee4748a6fcea98
SHA1 7b5a00c81967eba9438c08828fd57ad76219167f
SHA256 254daec40c77fe58ebc82feeefe474540ff97c30f525703667fb5f5c376656c7
SHA512 fd059fb3b4a75f36deea3ce1dd4ce8f51b83063a0b52b0a00da1713e7faed33a1a7ab8909806c6dc0ff2e4ac216ad62704708480dd75f6a25263ba205c5dbcfb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 3ffbf7be8df18d035d322807f6db2808
SHA1 1bba1715c548b94c629cc53f9223cf214d609924
SHA256 44c6bef4111a21e04af15409beb9aeb8b388f9fd55bdb192f15733826d600260
SHA512 7483656a7ff756061236c76ed7c9cd18ee906c919dd7e5fda41d05e624ad8f0dc58a125ecdd99dd6fa5b2dad04fb08937fb046ab9468a95a224ecd1192972bb9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57dc37.TMP

MD5 f128474959e5821977555fc14a44c36c
SHA1 0077e40a6272ce5536c0c5e215da75845758b543
SHA256 a58229ee67f18d6179bd6079efb81086921b9580817e3f30ced770b2a584a153
SHA512 d8fae2f17d505bbe5a2254fa3cc2aeca5ac22df0bb49a3485607ebdd0d6cfde0c2472cdf95756f05321f6e7de63b831f595aa781823d35bd05fce313e576795f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4a613efd39da32833c14ac0c6f20ea58
SHA1 6b6a2f507fbba8943ab5ab418d65b1446b934ade
SHA256 7c39b4f45ded15e6424ab9094fc25b4b409a3bda53b57e50f97e122232aae8b7
SHA512 98eb08ce6cf1706e07d095ae8c7dcf3361d88b92b188beda11eeb7a0c42669d24c9ad918dff7f1baad2c6fbbe3c84de7f338947291dd261a72f36cfae8d51a76

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fcb0887f1e0a4bb896080edf4453166c
SHA1 aa6f1721e3d92cf4bbbdf393b7a13760fa63a245
SHA256 b9f93d393c5be8eddf140a8bda7fa06c81de38d23ded750454aad6fe86b5e26c
SHA512 6e75689a909d8e76a8020f796b5ba766b74452824e74fc2ab63a5d16626c1f471729284497d33d4a6f2dcb4562019bb1f80557d32f3014b5f76598d402394a63

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4b51f4de31def5b7d6572be1c842cd98
SHA1 78c8c8013f9ad34fb81af947d6d96bbfe0099fa0
SHA256 02b1c708ab82699bf0b78eb16a43f920ea20ce8abbd8ac58a83cc10718761747
SHA512 e04e6f8ce99969c2a7532352fd06b6da8c1a53cab45ad1d6c166904a1ce48f02734c8c334031a6b061d0e5addf378c55e16c9e971f4f6ff80e143b3103c2db1e

memory/1912-332-0x0000028E48000000-0x0000028E48100000-memory.dmp

memory/1912-380-0x0000028E5B200000-0x0000028E5B300000-memory.dmp

memory/1912-384-0x0000028E6B7C0000-0x0000028E6B7E0000-memory.dmp

memory/1912-409-0x0000028E6C0F0000-0x0000028E6C1F0000-memory.dmp

memory/1912-428-0x0000028E6B490000-0x0000028E6B4B0000-memory.dmp

memory/1912-430-0x0000028E6BFB0000-0x0000028E6BFD0000-memory.dmp

memory/1912-429-0x0000028E6BF30000-0x0000028E6BF50000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DX2PTHLA\www.bing[1].xml

MD5 e1711282a665a3fc75524262dff46767
SHA1 3b3029d7b894ddf006f120dc6a1cdc7d95a16c0a
SHA256 760b5a9272bbec4f2d7b5c3684d670535e89ac48c17ef763386610831a451f65
SHA512 cb57d658641f750d78ebb72742114706e2d58be126b0f622ce94a9901e705428978b9a7ce0027f5dcb6325f9c73f7c23ee54b96077717560af2341d4edb3baa2

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DX2PTHLA\www.bing[1].xml

MD5 6ab41121dab8c8f9dd25a0516d43821e
SHA1 23ce467a3f6eeb059d74b4b404b470491edbfd84
SHA256 3bd645c5ddc7e0f82dfa2abdfc9b71833f1da6eb75d335440f2311a1980aed5b
SHA512 2c075e7edb984d53d179ab96fc238c83e9b68d00e165f53d7c8398530d23e7e83b512aac5494ed448ad9f6f7e25f2effa770645deb93bff476e0db5f4068e549

memory/1912-722-0x0000028E6D2F0000-0x0000028E6D3F0000-memory.dmp

memory/1912-734-0x0000028E59F30000-0x0000028E59F50000-memory.dmp

memory/1912-742-0x0000028E6F780000-0x0000028E6F880000-memory.dmp

memory/1912-760-0x0000028E59FD0000-0x0000028E59FF0000-memory.dmp

memory/1912-770-0x0000028E6D7B0000-0x0000028E6D7D0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DX2PTHLA\www.bing[1].xml

MD5 1917877eeb7ac92e7be918ef24310e3f
SHA1 3e3399de6050a0e25bb8d5451978f703b4a8e816
SHA256 9a79dcc5ff3a7cfe2a62e3a83b73c30d04b1993144141917ac8f5f2e6d395bb4
SHA512 a3769cf65dc1e4c634bdd26cf916ca0c64fe3a6cf01f74a3d62c2529fa470e8ccdd054d02254380808adef7769c49ae0d28d1ffe62a1ee8b12d1b46fd590e4ec

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\ServiceWorkerFiles\EABA6506-6EA4-4FC6-AEA1-94907ACDA3D0\Zrtu2hQ08VU_1.bytecode

MD5 c86852514fa6b9f025e93655325924ec
SHA1 cef5e9cc1f09685a6a60cb102d3fa5444fe4ba54
SHA256 f748a9e55fa6ff2d30eaa7d17de188cd85e40d770d18cccfa774964b8ca3a31b
SHA512 130adfe0d311c9edb1f5f424da8bdd53f9875cdc16da28e4f8d8abc3e093ba9234d30c5d8b1092ec57119fc8091acd0309097a683dcb3b98aebc801038c94234

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\ServiceWorkerFiles\EABA6506-6EA4-4FC6-AEA1-94907ACDA3D0\Zrtu2hQ08VU_1.metadata

MD5 b370861ddcc5cf5b5f1f1921c25ca055
SHA1 31c813ed0f2b66b70de6e3b5d1f62a0177d7a248
SHA256 f0164179da06b950a3afb962079773073594a1858aef29098c5786f2421a4b3e
SHA512 4d52ee57e2708744dff905331cd68101a1165c387e8aedf9bd902074d408a0852a232bb3beacddceea56d496bb5f7538045150aa17c68f22bc514511d0351733

memory/3760-875-0x0000014715CF0000-0x0000014715DF0000-memory.dmp

memory/3760-876-0x0000014715300000-0x0000014715400000-memory.dmp

memory/3760-894-0x0000014715300000-0x0000014715400000-memory.dmp

memory/3760-896-0x0000014738070000-0x0000014738090000-memory.dmp

memory/3760-900-0x0000014738B60000-0x0000014738C60000-memory.dmp

memory/3760-939-0x0000014738650000-0x0000014738670000-memory.dmp

memory/3760-941-0x0000014738AA0000-0x0000014738AC0000-memory.dmp

memory/3760-940-0x0000014738A00000-0x0000014738A20000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DX2PTHLA\www.bing[1].xml

MD5 e613b9fb06ad763210ff445abbdb30b5
SHA1 73b6029db1b18479a064363d4088b2bdc6fecf83
SHA256 cbe51b0529d09089bae50eeec2fb756d4120da88a88f26d93684b42c199ec2ed
SHA512 bbad2b7a591ed5add67b2d1760713da7f9bfa039a6c5874604d0d2318c7136ceb8b6ed5e47c5bd29738576b013f392091414406bfc6400d3c3e9cc7123ee9245

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DX2PTHLA\www.bing[1].xml

MD5 b02415f1a1cf281bc9cf88e3b93e493e
SHA1 1a8e87135cdd9dc25f3cf12738b51f7d92ef39d1
SHA256 3a6458f9308f22c6954309b4835ff4b9d17dae929778d5755c579bf9d38a3dca
SHA512 ed403684e4a8dc8584e33f82d5f11f64f457449fab1ed9bdd0277275dfdec11b3ce3b986736322040a4eebbfbd130ef9a8bb2c177a95e88a29b2a7f947045f1f

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DX2PTHLA\www.bing[1].xml

MD5 9d95b52b140b5916b62caabc3632900b
SHA1 29303650358c5f6b3ea8c3e5a38b8ed3aa10847a
SHA256 1320ee886b2128e7402cb0bfeb9fa8e32e2c3b29bb6fad3c09228c210809605d
SHA512 17c145345b7f2d15a2c3dda3f6bca19e38eca7e4ffe16d83819e80d9c770c0f63f7b74ddc6e565e0b43e4ac0bf3f58f14e5f9167b3caafc7001418fad49332ac

memory/3760-1213-0x000001474E710000-0x000001474E810000-memory.dmp