Malware Analysis Report

2025-01-18 04:08

Sample ID 241104-d4r9qstanj
Target Client-built.exe
SHA256 48d4fde21b28f0614fdf124f83f5594bddc13292f21b775da58b017385a49b01
Tags
office04 quasar discovery spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

48d4fde21b28f0614fdf124f83f5594bddc13292f21b775da58b017385a49b01

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

office04 quasar discovery spyware trojan

Quasar RAT

Quasar payload

Quasar family

Executes dropped EXE

Checks computer location settings

Enumerates connected drives

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Scheduled Task/Job: Scheduled Task

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Uses Task Scheduler COM API

Checks processor information in registry

Opens file in notepad (likely ransom note)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 03:34

Signatures

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 03:34

Reported

2024-11-04 03:36

Platform

win10ltsc2021-20241023-en

Max time kernel

103s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar family

quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\A: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\E: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\S: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\X: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\L: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\T: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\G: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\K: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\B: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\I: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\M: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Q: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\V: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\W: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Y: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\N: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\P: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\R: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\U: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\unregmp2.exe N/A
File opened (read-only) \??\H: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
File opened (read-only) \??\Z: C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Windows\system32\mspaint.exe N/A
File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\unregmp2.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3495501434-311648039-2993076821-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\System32\notepad.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\mspaint.exe N/A
N/A N/A C:\Windows\system32\mspaint.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\unregmp2.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\unregmp2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1120 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1120 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\SYSTEM32\schtasks.exe
PID 1120 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 1120 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
PID 4756 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4756 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4756 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\mspaint.exe
PID 4756 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\mspaint.exe
PID 4756 wrote to memory of 884 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4756 wrote to memory of 884 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
PID 4756 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\NOTEPAD.EXE
PID 4756 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\system32\NOTEPAD.EXE
PID 4756 wrote to memory of 216 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
PID 4756 wrote to memory of 216 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
PID 4756 wrote to memory of 216 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
PID 2636 wrote to memory of 756 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 2636 wrote to memory of 756 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 2636 wrote to memory of 756 N/A C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\SysWOW64\unregmp2.exe
PID 756 wrote to memory of 3280 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe
PID 756 wrote to memory of 3280 N/A C:\Windows\SysWOW64\unregmp2.exe C:\Windows\system32\unregmp2.exe
PID 4756 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\System32\notepad.exe
PID 4756 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Roaming\SubDir\Client.exe C:\Windows\System32\notepad.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

"C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "java updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\AddEdit.png"

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\AppData\Roaming\ApproveInvoke.dotm"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\BackupInvoke.ini

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Roaming\ClearUninstall.ppsx" /ou ""

C:\Program Files (x86)\Windows Media Player\wmplayer.exe

"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding

C:\Windows\SysWOW64\unregmp2.exe

"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon

C:\Windows\system32\unregmp2.exe

"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost

C:\Windows\System32\notepad.exe

"C:\Windows\System32\notepad.exe" "C:\Users\Admin\AppData\Roaming\CopyJoin.ps1"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3964 CREDAT:17410 /prefetch:2

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\RegisterUndo.jpeg"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\RestoreAssert.asf"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\SkipUnregister.gif"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\StepRestore.cmd" "

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\StepShow.dib"

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Roaming\SuspendRead.rtf" /o ""

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\mspaint.exe

"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Roaming\TraceInstall.wmf"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\TraceMeasure.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x104,0x130,0x7ffa897146f8,0x7ffa89714708,0x7ffa89714718

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3e4 0x2d4

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\UndoStop.xsl

C:\Windows\System32\fontview.exe

"C:\Windows\System32\fontview.exe" C:\Users\Admin\AppData\Roaming\UnprotectRemove.otf

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Roaming\UpdateDebug.htm

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x130,0x134,0x138,0xc8,0x13c,0x7ffa897146f8,0x7ffa89714708,0x7ffa89714718

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5324 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,15126748570456872611,5818128138921015909,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,15126748570456872611,5818128138921015909,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,5657368218220574154,610993385880618956,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,5657368218220574154,610993385880618956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,5657368218220574154,610993385880618956,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3036 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5657368218220574154,610993385880618956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5657368218220574154,610993385880618956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5657368218220574154,610993385880618956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5657368218220574154,610993385880618956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5657368218220574154,610993385880618956,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,5657368218220574154,610993385880618956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3980 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff7f9e05460,0x7ff7f9e05470,0x7ff7f9e05480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,5657368218220574154,610993385880618956,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3980 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5657368218220574154,610993385880618956,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,5657368218220574154,610993385880618956,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 Inversin-43597.portmap.host udp
DE 193.161.193.99:43597 Inversin-43597.portmap.host tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
DE 193.161.193.99:43597 Inversin-43597.portmap.host tcp
DE 193.161.193.99:43597 Inversin-43597.portmap.host tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.36.55:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
DE 193.161.193.99:43597 Inversin-43597.portmap.host tcp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 246.197.219.23.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 47.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.63.31:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 31.63.18.2.in-addr.arpa udp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
GB 2.19.252.143:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 143.252.19.2.in-addr.arpa udp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 51.11.108.188:443 nav.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
GB 172.165.69.228:443 data-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 data-edge.smartscreen.microsoft.com tcp
GB 172.165.69.228:443 data-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 188.108.11.51.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 228.69.165.172.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp

Files

memory/1120-0-0x00007FFAA8273000-0x00007FFAA8275000-memory.dmp

memory/1120-1-0x00000000005B0000-0x00000000008D4000-memory.dmp

memory/1120-2-0x00007FFAA8270000-0x00007FFAA8D32000-memory.dmp

C:\Users\Admin\AppData\Roaming\SubDir\Client.exe

MD5 f5b93af3ee1b64dacd2bac9ba4af9b27
SHA1 1f2a038199a71a2b917dca4dff2f5fac5e840978
SHA256 48d4fde21b28f0614fdf124f83f5594bddc13292f21b775da58b017385a49b01
SHA512 83703b0f567723abe3d6b34bd419be5df3475e049ae8893993fec017da9a420cd875184c570bdffbfc0bccac662762991885dea8ebcc2af172b3aac2fb00a302

memory/4756-6-0x00007FFAA8270000-0x00007FFAA8D32000-memory.dmp

memory/1120-5-0x00007FFAA8270000-0x00007FFAA8D32000-memory.dmp

memory/4756-7-0x00007FFAA8270000-0x00007FFAA8D32000-memory.dmp

memory/4756-8-0x000000001D250000-0x000000001D2A0000-memory.dmp

memory/4756-9-0x000000001D360000-0x000000001D412000-memory.dmp

memory/4756-12-0x000000001D2A0000-0x000000001D2B2000-memory.dmp

memory/4756-13-0x000000001D300000-0x000000001D33C000-memory.dmp

memory/4756-14-0x00007FFAA8270000-0x00007FFAA8D32000-memory.dmp

memory/4756-15-0x00007FFAA8270000-0x00007FFAA8D32000-memory.dmp

memory/884-16-0x00007FFA86850000-0x00007FFA86860000-memory.dmp

memory/884-17-0x00007FFA86850000-0x00007FFA86860000-memory.dmp

memory/884-19-0x00007FFA86850000-0x00007FFA86860000-memory.dmp

memory/884-20-0x00007FFA86850000-0x00007FFA86860000-memory.dmp

memory/884-18-0x00007FFA86850000-0x00007FFA86860000-memory.dmp

memory/884-21-0x00007FFA84190000-0x00007FFA841A0000-memory.dmp

memory/884-22-0x00007FFA84190000-0x00007FFA841A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\BA82CC69-63A7-475F-90A4-EFC35CF2C13F

MD5 04f4603517c8e150310863e650bfd4d7
SHA1 bcb084dfaa57db7600402371688515d1a4b0b42a
SHA256 b9ad6056cc6850ba9930145cc7b00b4198c0cdc708a9a3a07d9d6e1fd12fef87
SHA512 214b98f5d0dccc702a1db3fdfa67a0dd38a52dc0932bc1df7c590080c5a3be2b4e78cdd6309ede336bc7a7fa32103c233a1700d04ca2552667487a0b3b875e53

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 9089c5c8b4eafd9bfb73e3be0d1ff7e0
SHA1 6599474d13a9c792cb78dc689790df565935bcbf
SHA256 2d48f7b2dfbb2cba93b92bd26d054e4567e90f2b61f931a950a3045bc65fb761
SHA512 238aff71eda9d786e08ec4dd5c2b432d68785ae10d662cce7195cf37a2c5400ed523e59354a7aaf6ca1b588c0f7678185c5748cafa09b748ef5287a811fdfb9c

C:\Users\Admin\AppData\Local\Temp\wmsetup.log

MD5 d99808b2174b053ac2a9ac30e6edd1a4
SHA1 4f5775cc327130cee2d4246ce973b932c28e1fa3
SHA256 405c7fabb0478aca690ebe7713388c8b864f8156b3034c49554d55572b6e4096
SHA512 af0d1b41fa13b92ff283b992371ad733531325fbbcfa31ef439258505f20c7e2b93c5a53111bcf3e349022c08d236696d52c8ae769ff89932106e64e3c6be13e

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

MD5 acdde3648d799ead46ddd5609a733b8d
SHA1 76745414d961a336d2ae9ea6c8427c2c08cd3e62
SHA256 b0926d0594d3cf11dc091b567f2e8702956817ccd2e713d3cd2f89bb89c9f50e
SHA512 6666dffd160f14231b97dbb988592ac6d22d2aeff3dd30dee2acd6e813bb83510a543558ef3d9847c5c86c3129161a759ca52cc722e36f77a2b7a89459031455

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres

MD5 5f4e4fea33cbc0f21c584c819f2e91ea
SHA1 d4d10cddcc207153f3e0d5b57a706823492190d3
SHA256 46b4c1e602594f4033018c79ebe8ead1369f7de5fcdc14b5919b2e73f10b4783
SHA512 d6d8bbc7acf39a809450c2f02c0e8d8f3942b684d2eb819cdeb12a6ceb92e38beed4b07bc69648cef68414576864dc97a241d729f735c0ee4e57946c52f46938

C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

MD5 6291990746447637f646da0a7102aa29
SHA1 79afd968076fdc54e701ab6c097f23e1fe8a153a
SHA256 703df4903f46538e540c1ced1c4d3247552f175e563626ba3e6898efa1d5dc03
SHA512 50b1230abf3429e247dd6a8e878a7054e9cef2fc40e5df1c8e6b1c8cb7022cc19d5e0dd8569d5b379000f3c1681f8cf69f31fe1e21cd73fd336c8365ad55edcc

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 ee141df87d572b7d7d604be1c01528cd
SHA1 cd4ff5ebe7531ac5cac930fa2761ab6c8ad3e904
SHA256 40e114c347fd2981e632d3e8419b96f24d1e071f9d6cd50d53150247655724da
SHA512 b6f031d35e1f076930c5e489ea68a743ba290e9e16f0526c2a7c76f32ec159eaa628059b0b4f3de7d57484f166f8bd63fea03656b5e23c3e5f19264466cd283a

memory/2636-80-0x000000000A1E0000-0x000000000A1F0000-memory.dmp

memory/2636-85-0x000000000A1E0000-0x000000000A1F0000-memory.dmp

memory/2636-84-0x000000000A1E0000-0x000000000A1F0000-memory.dmp

memory/2636-83-0x000000000A1E0000-0x000000000A1F0000-memory.dmp

memory/2636-81-0x000000000A1E0000-0x000000000A1F0000-memory.dmp

memory/2636-86-0x000000000A1E0000-0x000000000A1F0000-memory.dmp

memory/2636-87-0x000000000A1E0000-0x000000000A1F0000-memory.dmp

memory/2636-82-0x000000000A1E0000-0x000000000A1F0000-memory.dmp

memory/4756-92-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

memory/4756-93-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

memory/4756-97-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

memory/4756-96-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

memory/4756-95-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

memory/4756-94-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

memory/4756-98-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

memory/4756-103-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

memory/4756-102-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

memory/4756-101-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

memory/4756-100-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

memory/4756-99-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

memory/4756-105-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

memory/4756-106-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

memory/4756-107-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

memory/4756-104-0x000000001D2C0000-0x000000001D2D0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 8a30a9b50fedce017b52120d4343b95a
SHA1 8de5de177d1008f9667108f6b5802a2a52b88a88
SHA256 4550fdafe58e9e306e641eefdb4bfd0a0f560bad671dfe5730a4ef029b3ffb3d
SHA512 7edf4b47f415103805bf251adb8e135398ca632eced27d87ee5d40f8854edc7bdf06e84173ed537791dd0a56554d6e692e500274f991bec08d408f9dc73cbab1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

MD5 acebd4b60e4762f00c3a188c00ec57f0
SHA1 d0f662b43e409e834afb8c6182a65aa9fccdc2a5
SHA256 0b241fbc20a1bd13a681f5c6fcb287554d8d0a6dc3133a2213114dc41de1a8bf
SHA512 5c1517bf323196749397c61208e8afe0836789f4f33500ab064282f5fd60fddf8143e00522e3030e7cc74c1a1973f2dec4ea0a5afbcd9182ad8ab1a74e1d003e

C:\Windows\Debug\WIA\wiatrace.log

MD5 820f9d86754330e2a781780e4824f2e5
SHA1 0c98d60d6d1f2678ef84bcb2d16bd086194cdfc5
SHA256 e5806bf213771c0739b457b681782217123b3aeeb3aa4643f9ca955a65d12e24
SHA512 a127790a1267eaa59dd537abdce6ea59e2b3545d9a14d46395b5d3bd678a2c38c5b01331384b142ddfcfe52b70114a8064ec6875fba9019b354a9fa5f94956eb

C:\Windows\Debug\WIA\wiatrace.log

MD5 0aaf4d88c6447a07335a4d0a2ee33b77
SHA1 323c1d5f69332a4fa04f95c363f3bd5f9aca06a3
SHA256 0442b588d6b4117eb5144c15d297a263bcce8bc8ac29d41f0d0cb4e1ec13d80f
SHA512 0e167e1bcb9054e65c95bfb6573fc11207bb8866117ccbabf20070200c8740a281d152f98a1f70c6fa7a57ba491982a745518f3956b85e2186bdd911ca7fa125

C:\Windows\Debug\WIA\wiatrace.log

MD5 6f71994018a48263fef3848945fcfef2
SHA1 65b1f9e198082a29e1881548729e78a6abfa185d
SHA256 fae72f6e384f1c0e48bcdedb11f67ceed3cbeee38e180d6ca86b099975038b4f
SHA512 75e58ceb352e7e0e2b9708fc658d584d97c1ca3b02f3357b7dd4ad3598d6929989584e14079230c7412061ffd8ce429aac73a6863e41e8941e43157d0bc87590

C:\Windows\Debug\WIA\wiatrace.log

MD5 c15e6701914a31ebbec4f4aeb564a917
SHA1 7509f77bcdad71f794398067c1074e3a2bc07173
SHA256 a41d8e6ff817de787b494c8a6ac5312b0ebdc9022ba8433251c67e75020de7c9
SHA512 6687c45a618cd7aeda1ddd7b6048f1b094647697b15e510c933ff2a420d33ec1771f96647a4e5406cd1e3d1aff7e18d6e670f1cd112d75d03db0cf3f4140080f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e87625b4a77de67df5a963bf1f1b9f24
SHA1 727c79941debbd77b12d0a016164bae1dd3f127c
SHA256 07ecc7bd328990f44b189112a1a738861b0f4528097d4371e1ab0c46d8819f4e
SHA512 000d74220ba78628b727441c1b3f8813eec7fc97ff9aa6963eb2ab08d09525fa03935b32e86458c42e573b828a22b0b229af02b47eee511dc83de4ed3b5e726b

\??\pipe\LOCAL\crashpad_5176_YPCJABNLCSAMSNUX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6c36c163d863997bb12b70b8e8347604
SHA1 5918e662a76713bf4056f3b576a7d80f0caa5ed0
SHA256 e83630dad6de593a5f4aad9106f7f382f484675aef8b5d3707998fb47022431a
SHA512 4aea6a97de01d73511a5b5195b8c21f2409478f9f4182b1275a246bf2abd52db2ebfa14bd85abe9274b77664b88960bea8be34ec712a71c4cea0e5f576ce0ffa

memory/644-485-0x00007FFA8EE40000-0x00007FFA8F04B000-memory.dmp

memory/644-492-0x00007FFA9F220000-0x00007FFA9F23B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 137094a3453899bc0bc86df52edd9186
SHA1 66bc2c2b45b63826bb233156bab8ce31c593ba99
SHA256 72d823cac2d49660cdd20ebf4d3ac222c4dd15aae6e5ac4a64f993ef5c4fdd44
SHA512 f8f149c9eab06e8d7e1aa62145f0fc588dc36fc521ef4dceceb80a191b72d79586d920feb5f3b1d19595109cc6d608c143e32f521a4da1068c708a2538899ada

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 46da169bb5f944fd6d8ba3cc390cc886
SHA1 cc9c49d41fa0ed7be5108300c62251c9c3185359
SHA256 21d4bd515856639571956a6b79af586eef39ecca4b64d8c70f1ba45412a870da
SHA512 a4926d7a48100cfefd79a31779561291d4c904e620c5aeff838a0cc589cd1fe8104b521bee510d34fa6a463004b72418b360b09b4d5c21452778b9c7a95867e4

memory/644-491-0x00007FFA9F240000-0x00007FFA9F251000-memory.dmp

memory/644-490-0x00007FFA9F2C0000-0x00007FFA9F2D1000-memory.dmp

memory/644-489-0x00007FFA9F2E0000-0x00007FFA9F2F1000-memory.dmp

memory/644-488-0x00007FFA9F300000-0x00007FFA9F318000-memory.dmp

memory/644-487-0x00007FFA9FA60000-0x00007FFA9FA81000-memory.dmp

memory/644-486-0x00007FFA9F320000-0x00007FFA9F361000-memory.dmp

memory/644-484-0x00007FFA9FB30000-0x00007FFA9FB41000-memory.dmp

memory/644-483-0x00007FFA9FE40000-0x00007FFA9FE5D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

MD5 5d4af1e3a61955142979ae38d0d82880
SHA1 b17832a356c6a855c68bc738e0d3a2f522b9a9b0
SHA256 868c16c567b858001f7c86a92f61020209d9bdd8058041140755622619046c2d
SHA512 853bd1a3f80356c451a10e834f77ed9faa6f72441ca5819acfbe4a50bfd9a5a6444e8fae29f54c611e3f8f61cff824cdda48ecf85980d1c21546965c3d907f83

memory/644-482-0x00007FFAA05F0000-0x00007FFAA0601000-memory.dmp

memory/644-481-0x00007FFAA0610000-0x00007FFAA0627000-memory.dmp

memory/644-480-0x00007FFAA37D0000-0x00007FFAA37E1000-memory.dmp

memory/644-454-0x00007FFA8F050000-0x00007FFA8F306000-memory.dmp

memory/644-479-0x00007FFAAE070000-0x00007FFAAE087000-memory.dmp

memory/644-478-0x00007FFAAE630000-0x00007FFAAE648000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5d9c9a841c4d3c390d06a3cc8d508ae6
SHA1 052145bf6c75ab8d907fc83b33ef0af2173a313f
SHA256 915ea0e3e872d2b2e7d0e0ca30f282675139c787fec8043a6e92b9ef68b4f67d
SHA512 8243684857e1c359872b8e795a0e5f2ee56b0c0c1e1c7e5d264c2c28476e9830981bb95244f44c3b2ed334c3e1228f3d6245cce2f3d1f34cdbce8e2af55b4c85

memory/644-453-0x00007FFAA0830000-0x00007FFAA0864000-memory.dmp

memory/644-452-0x00007FF7C6100000-0x00007FF7C61F8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

MD5 e5e3377341056643b0494b6842c0b544
SHA1 d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256 e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA512 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F286C1F2-9A5D-11EF-96B2-D2E6B09CCA5E}.dat

MD5 0c95cbf262381729929003f9e8e5490b
SHA1 799df65a465ed1ec0dd11f709b3f07053adc328d
SHA256 af1918352a3ad61d1894663b6fd0bd897f5473725abefbd6cdf8fbe3edf1b4f7
SHA512 00b7a697f2952c9a5878a6c89f835535686468dd85e81b6fcd9a831c4383c72e6c869935196c353777dda262fd0fa024999df63384e2522e1f93975d414538cf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7EF516642261549A23D49DB36FFE5F3F_61FBF64E4C250562CDD1DE2D4EB32EE1

MD5 d93be4116de766e1851b695971ef2393
SHA1 b5e4735448fb0f16ef4422e53f3914489f8fc0c6
SHA256 2c2aa1e71979c4383542e81fc089812e41a2c0a5be33ff5d41f01d72650a64d7
SHA512 6fb1f6eb82b3440e7bed2d547abbf30444fa09f9b6e48aabdbe3dd80a414d682182314db4594f54d9c6dcfb891f5f99fb9f04be888b27253f3e9cb29801ce565

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7EF516642261549A23D49DB36FFE5F3F_61FBF64E4C250562CDD1DE2D4EB32EE1

MD5 48303404955350f66314fd6d90c3b516
SHA1 04fbb379a59d1d054b0a708444203bb870941282
SHA256 2eda4540a99112e28788e522c76b84b59bc4da47b7025f56cfdb11e269084d97
SHA512 43ecd0b43c18c97e4e25a0f1175924f721089a8830af425c84473ef8b5790ba4220414a380ba3ba85d295a5302eb0a73f6b710f2373072faf8a031e9755362eb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 3c39bcc668b6bf1c1b8b36e6aa5859cf
SHA1 a1170db978ed32ee9fffd8695873257a13bc1f5c
SHA256 0a51ba843f795248e6e51ab25b0de3ae85ba55d191da3607ecce4b44550b357e
SHA512 d29de824d003dc9ede1aba5fa95e29827a001335b4f8b18ef9ddd7891c54b0e204eb037b0d599bff2b48a99748b02eba49e8df3ebf853deea747ac1a8aae0866

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 53c87adbfd3d6b343058c16ec9a01034
SHA1 f72260732b4e1f89623f3c675a0d51008bd48f30
SHA256 cacc2d1bacf7dbfa59a9811195113755891d4b64f65d25502b950af33455d933
SHA512 ab5fd17112556237632f81db51b66418613e1d827a6a96359a6b02ee7b86921af97d4d865f0ee1894a03aa7f49fe9f888e1de068eb218923345d91bb4b78d166

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5e7c9055e0dc5d6ab5c1d47f1cc27302
SHA1 ee7b7cd566869169ac37461cf9af556809feb7f4
SHA256 4e0e900bbc0a0a39bb0606d95409e0ec359319fa72ef170a1143d93e0d830052
SHA512 c4e7f34fdb85b189e51cbdff22419051aa26b956de51c5dbc5aeaaad25a0bf80ab6bb28699a71a099847b89487c4bdf8cf48786a58a06a926abb2ef6f0f65a31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 b4c368f8851eec362f9bab6aa80623da
SHA1 1960934afb425ff73c3b6546f307e74e64f343ff
SHA256 9009daecfdb4168f9c167f4742b4f99e650ab1f967f98424d1a3e688f18389c1
SHA512 2388b164753293d451f7acb162234f15071718f97f5cb340ef3616b81f418a77e3edf8031222861a84aacd3d4e528308c8c5e150fbdbb48b1421edab2d95e723

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

MD5 4e75dc6ddef26401f316ea8f706b43b0
SHA1 d7cafe946ba418fc6ca38b59d96ca92ff146a083
SHA256 c3cf3ff41034a0a0568915c51e4c8da2c0827b248f8026d9a374d2a9814611ab
SHA512 f1d6ba433007bc978423b4aec1b5af278f35c1f35fa9d682fde7480817839ff534d590c93d50e18cb22448e26ac07b1a256b7bf61c9d29b933a29a46ffb2a8a2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 df56e91a9baa77437f153babcb662523
SHA1 a4b2b3eaf5e245d668963890b657a48e8d234d64
SHA256 edcfcaaeebe7d7a2b58c7c6e07e9595ec64cfbc85210fdda4f842cf94ceffd4b
SHA512 89fd604c95f6d53a8a8030f5f94de75a635ee9db1e66cd777ba4fdf783c6f93c8789b9e6a35c945bc732a5fd15337407eb8bf76ebec9b516b51160a0b5c66898

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 364592d2cc18adf665987584bf528cba
SHA1 d1225b2b8ee4038b0c42229833acc543deeab0f6
SHA256 bd97dd6797bb763681cfb1fc3cc21a44a273aab1d9a4f4f9332675c662d2136c
SHA512 0e852db825e451464cbcfda95eae2dfe780874bd20e7b467604962428007d1735ece752aa5901d468708a68d66d029271d5567b39c530d2d44b875abbff9aa40

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 50a084e44944b2031dcecfb0f4315a11
SHA1 2697ddb7988b64a9c76bc684e0ab92d35bed3028
SHA256 4e1bbce6fe7252706931488e4f3693db930eadfb11422ea4c4dd1419f9ed588d
SHA512 fd21bab041738f17a33644d74a81746255709a6cd1e6d5bf1f30feebf43bb3c78738108b914d295df701f5f6e031f1f3f9c48b3fb64fba47afd867435699c1bf