Malware Analysis Report

2025-01-02 03:52

Sample ID 231211-e56deschgn
Target fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4
SHA256 fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4
Tags
dcrat djvu privateloader redline risepro smokeloader zgrat livetraffic up3 backdoor paypal collection discovery evasion infostealer loader persistence phishing ransomware rat spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4

Threat Level: Known bad

The file fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4 was found to be: Known bad.

Malicious Activity Summary

dcrat djvu privateloader redline risepro smokeloader zgrat livetraffic up3 backdoor paypal collection discovery evasion infostealer loader persistence phishing ransomware rat spyware stealer themida trojan

RedLine

SmokeLoader

Detect ZGRat V1

DcRat

RedLine payload

PrivateLoader

RisePro

Djvu Ransomware

ZGRat

Detected Djvu ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies file permissions

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Checks computer location settings

Deletes itself

Drops startup file

Checks BIOS information in registry

Themida packer

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Checks whether UAC is enabled

Looks up external IP address via web service

Checks installed software on the system

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in System32 directory

Detected potential entity reuse from brand paypal.

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Runs net.exe

outlook_win_path

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Checks processor information in registry

Enumerates system info in registry

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 04:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 04:32

Reported

2023-12-11 04:35

Platform

win10v2004-20231127-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8171b708-9330-4405-a332-80ee9f3f9420\\158A.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\158A.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\F7.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\F7.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\F7.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\158A.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2690.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\158A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\158A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21A0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\158A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\158A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\32D8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ot2Cu80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\21A0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tk8hR5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C507.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\AceFlags\kglgyjf\ContextProperties.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2690.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29BE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Broom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tuc3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\latestX.exe N/A
N/A N/A C:\Program Files (x86)\xrecode3\xrecode3.exe N/A
N/A N/A C:\Program Files (x86)\xrecode3\xrecode3.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8171b708-9330-4405-a332-80ee9f3f9420\\158A.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\158A.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\32D8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ot2Cu80.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\F7.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.2ip.ua N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Detected potential entity reuse from brand paypal.

phishing paypal

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F7.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\xrecode3\bin\x86\is-1JPI5.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\stuff\is-T1LGF.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-PNM8V.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-F5GL9.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-CHR6S.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-H75ER.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-V2K8J.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-8DO20.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-NIGCK.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-2JVGS.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-8V5LL.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-DAV3V.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\stuff\is-GA0JA.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-U419R.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-F09L8.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-2CRSU.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\plugins\internal\is-EG6SP.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-CF2PP.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\stuff\is-M237F.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-0TR16.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-UD2LI.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-IGGNC.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-VL5K5.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-O9BJ8.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-3QVE5.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\lessmsi\is-J3U02.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\is-FCLTQ.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\install\is-TB8TH.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-V0RQ2.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-455JG.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-CU4CK.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-S6GT6.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-MIRLL.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-INKPP.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-0S5PG.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-T3OCN.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-P02HO.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-KGGPC.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-TO5BA.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\install\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-MSQ3H.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-CKBHG.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-VMR2F.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-I8S1Q.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File opened for modification C:\Program Files (x86)\xrecode3\install\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-898B2.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-A2FGF.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-4J1VC.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-59O25.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-7EM5F.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-2JQ05.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-RI4NF.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-J7C9P.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-E07UH.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\stuff\is-0FIIP.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-BIIMO.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-61UNE.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-5I12B.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-BGG6B.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\plugins\internal\is-754EV.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-OOGKJ.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-INOBN.tmp C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A
File opened for modification C:\Program Files (x86)\xrecode3\xrecode3.exe C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\21A0.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\21A0.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C507.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tk8hR5.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tk8hR5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tk8hR5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tk8hR5.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tk8hR5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tk8hR5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tk8hR5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tk8hR5.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tk8hR5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tk8hR5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tk8hR5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tk8hR5.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tk8hR5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tk8hR5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tk8hR5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tk8hR5.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Broom.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4.exe C:\Users\Admin\AppData\Local\Temp\fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4.exe
PID 2384 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4.exe C:\Users\Admin\AppData\Local\Temp\fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4.exe
PID 2384 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4.exe C:\Users\Admin\AppData\Local\Temp\fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4.exe
PID 2384 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4.exe C:\Users\Admin\AppData\Local\Temp\fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4.exe
PID 2384 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4.exe C:\Users\Admin\AppData\Local\Temp\fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4.exe
PID 2384 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4.exe C:\Users\Admin\AppData\Local\Temp\fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4.exe
PID 3188 wrote to memory of 2216 N/A N/A C:\Windows\system32\cmd.exe
PID 3188 wrote to memory of 2216 N/A N/A C:\Windows\system32\cmd.exe
PID 2216 wrote to memory of 3864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2216 wrote to memory of 3864 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3188 wrote to memory of 1544 N/A N/A C:\Windows\system32\cmd.exe
PID 3188 wrote to memory of 1544 N/A N/A C:\Windows\system32\cmd.exe
PID 1544 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1544 wrote to memory of 1956 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3188 wrote to memory of 4636 N/A N/A C:\Users\Admin\AppData\Local\Temp\F7.exe
PID 3188 wrote to memory of 4636 N/A N/A C:\Users\Admin\AppData\Local\Temp\F7.exe
PID 3188 wrote to memory of 4636 N/A N/A C:\Users\Admin\AppData\Local\Temp\F7.exe
PID 3188 wrote to memory of 5044 N/A N/A C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 3188 wrote to memory of 5044 N/A N/A C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 3188 wrote to memory of 5044 N/A N/A C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 5044 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 5044 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 5044 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 5044 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 5044 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 5044 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 5044 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 5044 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 5044 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 5044 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 5020 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Windows\SysWOW64\icacls.exe
PID 5020 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Windows\SysWOW64\icacls.exe
PID 5020 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Windows\SysWOW64\icacls.exe
PID 3188 wrote to memory of 3220 N/A N/A C:\Users\Admin\AppData\Local\Temp\21A0.exe
PID 3188 wrote to memory of 3220 N/A N/A C:\Users\Admin\AppData\Local\Temp\21A0.exe
PID 5020 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 5020 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 5020 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 4960 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 4960 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 4960 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 4960 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 4960 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 4960 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 4960 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 4960 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 4960 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 4960 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\158A.exe C:\Users\Admin\AppData\Local\Temp\158A.exe
PID 3188 wrote to memory of 1516 N/A N/A C:\Users\Admin\AppData\Local\Temp\32D8.exe
PID 3188 wrote to memory of 1516 N/A N/A C:\Users\Admin\AppData\Local\Temp\32D8.exe
PID 3188 wrote to memory of 1516 N/A N/A C:\Users\Admin\AppData\Local\Temp\32D8.exe
PID 1516 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\32D8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ot2Cu80.exe
PID 1516 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\32D8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ot2Cu80.exe
PID 1516 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\32D8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ot2Cu80.exe
PID 1960 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ot2Cu80.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe
PID 1960 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ot2Cu80.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe
PID 1960 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ot2Cu80.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe
PID 1808 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe C:\Windows\SysWOW64\schtasks.exe
PID 1808 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe C:\Windows\SysWOW64\schtasks.exe
PID 1808 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe C:\Windows\SysWOW64\schtasks.exe
PID 1808 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe C:\Windows\SysWOW64\schtasks.exe
PID 1808 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe C:\Windows\SysWOW64\schtasks.exe
PID 1808 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe C:\Windows\SysWOW64\schtasks.exe
PID 1960 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ot2Cu80.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4.exe

"C:\Users\Admin\AppData\Local\Temp\fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4.exe"

C:\Users\Admin\AppData\Local\Temp\fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4.exe

"C:\Users\Admin\AppData\Local\Temp\fa9fb16970242eec35b2515ad1349171a784f612697fa5174a08a692ede0b1f4.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F6B4.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\F8F7.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\F7.exe

C:\Users\Admin\AppData\Local\Temp\F7.exe

C:\Users\Admin\AppData\Local\Temp\158A.exe

C:\Users\Admin\AppData\Local\Temp\158A.exe

C:\Users\Admin\AppData\Local\Temp\158A.exe

C:\Users\Admin\AppData\Local\Temp\158A.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\8171b708-9330-4405-a332-80ee9f3f9420" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\21A0.exe

C:\Users\Admin\AppData\Local\Temp\21A0.exe

C:\Users\Admin\AppData\Local\Temp\158A.exe

"C:\Users\Admin\AppData\Local\Temp\158A.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\158A.exe

"C:\Users\Admin\AppData\Local\Temp\158A.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4764 -ip 4764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 568

C:\Users\Admin\AppData\Local\Temp\32D8.exe

C:\Users\Admin\AppData\Local\Temp\32D8.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ot2Cu80.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ot2Cu80.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1808 -ip 1808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 1744

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qP694AX.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qP694AX.exe

C:\Users\Admin\AppData\Local\Temp\21A0.exe

C:\Users\Admin\AppData\Local\Temp\21A0.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tk8hR5.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tk8hR5.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffcbdd846f8,0x7ffcbdd84708,0x7ffcbdd84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcbdd846f8,0x7ffcbdd84708,0x7ffcbdd84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcbdd846f8,0x7ffcbdd84708,0x7ffcbdd84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffcbdd846f8,0x7ffcbdd84708,0x7ffcbdd84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1548,7693300690871602940,5963719020992529650,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcbdd846f8,0x7ffcbdd84708,0x7ffcbdd84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,12221000533021311263,10722921216563876504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcbdd846f8,0x7ffcbdd84708,0x7ffcbdd84718

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4424 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcbdd846f8,0x7ffcbdd84708,0x7ffcbdd84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcbdd846f8,0x7ffcbdd84708,0x7ffcbdd84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffcbdd846f8,0x7ffcbdd84708,0x7ffcbdd84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffcbdd846f8,0x7ffcbdd84708,0x7ffcbdd84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6976 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6800 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7632 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7604 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6176 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6176 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7784 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7332 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\C507.exe

C:\Users\Admin\AppData\Local\Temp\C507.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17219006106954199398,5310208172058672901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1

C:\Users\Admin\AppData\Local\AceFlags\kglgyjf\ContextProperties.exe

C:\Users\Admin\AppData\Local\AceFlags\kglgyjf\ContextProperties.exe

C:\Users\Admin\AppData\Local\Temp\2690.exe

C:\Users\Admin\AppData\Local\Temp\2690.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\29BE.exe

C:\Users\Admin\AppData\Local\Temp\29BE.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-74U6N.tmp\tuc3.tmp" /SL5="$C01CE,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 1

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 1

Network

Country Destination Domain Proto
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 24.52.193.212.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 edarululoom.com udp
US 172.67.167.33:443 edarululoom.com tcp
US 8.8.8.8:53 33.167.67.172.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 brusuax.com udp
KR 211.171.233.129:80 brusuax.com tcp
US 8.8.8.8:53 129.233.171.211.in-addr.arpa udp
US 38.47.221.193:34368 tcp
US 8.8.8.8:53 193.221.47.38.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 185.196.8.238:80 185.196.8.238 tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 238.8.196.185.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 109.107.182.45:80 109.107.182.45 tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 45.182.107.109.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
BG 91.92.243.247:80 tcp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 51.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 store.steampowered.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 twitter.com udp
GB 157.240.221.35:443 www.facebook.com tcp
US 92.123.241.50:443 store.steampowered.com tcp
BE 64.233.166.84:443 accounts.google.com tcp
US 104.244.42.65:443 twitter.com tcp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 50.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 84.166.233.64.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp
BE 64.233.166.84:443 accounts.google.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
US 8.8.8.8:53 www.epicgames.com udp
US 52.203.174.160:443 www.epicgames.com tcp
US 8.8.8.8:53 65.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 103.202.103.104.in-addr.arpa udp
US 8.8.8.8:53 160.174.203.52.in-addr.arpa udp
US 8.8.8.8:53 www.paypal.com udp
US 151.101.1.21:443 www.paypal.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com udp
US 8.8.8.8:53 i.ytimg.com udp
GB 172.217.169.54:443 i.ytimg.com tcp
US 8.8.8.8:53 84.239.225.13.in-addr.arpa udp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 54.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
FR 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 68.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 host-host-file8.com udp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 api.twitter.com udp
US 8.8.8.8:53 abs.twimg.com udp
US 8.8.8.8:53 api.x.com udp
US 104.244.42.66:443 api.twitter.com tcp
US 8.8.8.8:53 video.twimg.com udp
US 172.64.150.242:443 api.x.com tcp
US 8.8.8.8:53 t.co udp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 pbs.twimg.com udp
GB 199.232.56.158:443 video.twimg.com tcp
US 104.244.42.133:443 t.co tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 192.229.233.50:443 pbs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 static.ads-twitter.com udp
GB 199.232.56.157:443 static.ads-twitter.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 142.250.179.238:443 play.google.com tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 66.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 242.150.64.172.in-addr.arpa udp
US 8.8.8.8:53 141.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 158.56.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 50.233.229.192.in-addr.arpa udp
US 8.8.8.8:53 157.56.232.199.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 23.147.70.163.in-addr.arpa udp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 tracking.epicgames.com udp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 52.203.233.59:443 tracking.epicgames.com tcp
BE 13.225.239.37:443 static-assets-prod.unrealengine.com tcp
BE 13.225.239.37:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 220.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 37.239.225.13.in-addr.arpa udp
US 8.8.8.8:53 59.233.203.52.in-addr.arpa udp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
US 8.8.8.8:53 www.paypalobjects.com udp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 221.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 zn1ynnliufrct75cb-paypalxm.siteintercept.qualtrics.com udp
US 104.17.209.240:443 zn1ynnliufrct75cb-paypalxm.siteintercept.qualtrics.com tcp
US 8.8.8.8:53 www.recaptcha.net udp
GB 142.250.200.3:443 www.recaptcha.net tcp
US 8.8.8.8:53 240.209.17.104.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
IE 163.70.147.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
US 8.8.8.8:53 35.147.70.163.in-addr.arpa udp
IE 163.70.147.35:443 fbcdn.net tcp
GB 142.250.200.3:443 www.recaptcha.net udp
US 8.8.8.8:53 fbsbx.com udp
FR 216.58.204.68:443 www.google.com udp
RU 81.19.131.34:80 81.19.131.34 tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.1.35:443 t.paypal.com tcp
US 8.8.8.8:53 35.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 login.steampowered.com udp
GB 104.103.202.103:443 login.steampowered.com tcp
US 8.8.8.8:53 sentry.io udp
US 8.8.8.8:53 api.steampowered.com udp
US 35.186.247.156:443 sentry.io tcp
GB 104.103.202.103:443 api.steampowered.com tcp
GB 104.103.202.103:443 api.steampowered.com tcp
US 8.8.8.8:53 156.247.186.35.in-addr.arpa udp
RU 77.105.132.87:6731 tcp
US 8.8.8.8:53 87.132.105.77.in-addr.arpa udp
MD 176.123.7.190:32927 tcp
US 8.8.8.8:53 190.7.123.176.in-addr.arpa udp
GB 142.250.200.3:443 www.recaptcha.net udp
BE 13.225.239.37:443 static-assets-prod.unrealengine.com tcp
BE 13.225.239.37:443 static-assets-prod.unrealengine.com tcp

Files

memory/2384-1-0x0000000000CF0000-0x0000000000DF0000-memory.dmp

memory/2384-2-0x0000000000CD0000-0x0000000000CD9000-memory.dmp

memory/740-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/740-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/740-5-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3188-6-0x0000000002710000-0x0000000002726000-memory.dmp

memory/740-7-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F6B4.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\F7.exe

MD5 de4c178bd1c3dacfebfd8613fc26a2d4
SHA1 8d44dd4559eb6cc5fd768d3c2f5ce1e9fc447a4c
SHA256 365dfa65facc5a2359717d56e1356054fe167102ca27b7c31de004606d9284f3
SHA512 39b1bf2970a530ed562793836a72977ada20eaebd2922f9d78b6d98cbc6703b0af6a91543f24d795a9ff762a26270137d3cf310174b91e951561454d993f0c99

C:\Users\Admin\AppData\Local\Temp\F7.exe

MD5 6ce0199f78347a9a5e895b769ae9309e
SHA1 64081674d72d219458d8f243ae5064bf5cca4a99
SHA256 51088fa721965bd2e7d73e8f1cae4232ce134ef0aec8ab8a48e11da6c3502edc
SHA512 b3130df65c3636c3dfd183461d09ce104e111dd5c5d83960156289b62bdfe720b806e032d4de563e451b686ce018544b63c4ea0576e08acfadf446cad528cab3

memory/4636-25-0x0000000000D00000-0x0000000001684000-memory.dmp

memory/4636-26-0x0000000077440000-0x0000000077530000-memory.dmp

memory/4636-27-0x0000000077440000-0x0000000077530000-memory.dmp

memory/4636-28-0x0000000077440000-0x0000000077530000-memory.dmp

memory/4636-29-0x0000000077440000-0x0000000077530000-memory.dmp

memory/4636-30-0x0000000077440000-0x0000000077530000-memory.dmp

memory/4636-31-0x0000000077440000-0x0000000077530000-memory.dmp

memory/4636-32-0x0000000077440000-0x0000000077530000-memory.dmp

memory/4636-33-0x0000000077440000-0x0000000077530000-memory.dmp

memory/4636-34-0x00000000775E4000-0x00000000775E6000-memory.dmp

memory/4636-38-0x0000000000D00000-0x0000000001684000-memory.dmp

memory/4636-39-0x0000000007FA0000-0x0000000008544000-memory.dmp

memory/4636-40-0x0000000007AF0000-0x0000000007B82000-memory.dmp

memory/4636-41-0x0000000007BB0000-0x0000000007BBA000-memory.dmp

memory/4636-42-0x0000000008B70000-0x0000000009188000-memory.dmp

memory/4636-43-0x0000000008550000-0x000000000865A000-memory.dmp

memory/4636-44-0x0000000007ED0000-0x0000000007EE2000-memory.dmp

memory/4636-45-0x0000000007F30000-0x0000000007F6C000-memory.dmp

memory/4636-46-0x0000000008660000-0x00000000086AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\158A.exe

MD5 cf1bc4d8ce16ec59af85cba9d261d290
SHA1 65c583dd9d2e33c717f18b85f48fdfe24610dd82
SHA256 293a1cc0028ed8726eadd7c9fa9e4128130b6607d623961a35d442f76c9b94cd
SHA512 ecacbc3b75070fab5413903f7906a44c7425e1cad3612ee992ac44baa85ae5269bc6325e0c37ddff4152449316036aa7cf6e410b6d6b094c6028778a43a5dd8c

memory/5044-52-0x0000000002830000-0x00000000028C5000-memory.dmp

memory/5044-53-0x00000000028D0000-0x00000000029EB000-memory.dmp

memory/5020-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5020-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5020-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5020-58-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21A0.exe

MD5 ab0443c4b5ae89cd913377183852ecb3
SHA1 23cf5fb65377cfe0af63adede50c50fb24dc32ab
SHA256 8252f99b0f6c26c5c6360c896b26d2acf273ec3c68cf2d883fce4727fe926237
SHA512 149ef11f5b394b29310bb43bac8dc7356fe08c8916359b85de8b05b6033c76cb3e230fcd7098bba9acaf7dfc4570aba479b6e9b05369043f1d24a7f5d78e7d7b

memory/3220-71-0x000001C99EA40000-0x000001C99EB7A000-memory.dmp

memory/3220-72-0x000001C9B8F80000-0x000001C9B90B0000-memory.dmp

memory/4636-73-0x0000000000D00000-0x0000000001684000-memory.dmp

memory/3220-74-0x00007FFCC0E90000-0x00007FFCC1951000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\158A.exe

MD5 eee95a6428e72405bc5023502df184b3
SHA1 069d4786efe3081a0658bbdb61a8c2cabb3ebe97
SHA256 264dfacad12c1668aa5764708ccc38d3bc0ce97e635d4896b73ea7cf5f59589e
SHA512 7d54eb1c44255ce9447e7d323f6acad5f96d547ccbd8571383b76f4b33b480b88bb5f31868fb805406a4d56b1a9230c60abc76e732181389e4594b95b19d05a0

memory/3220-77-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

memory/3220-82-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

memory/3220-84-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

memory/5020-76-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3220-75-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

memory/3220-86-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

memory/3220-88-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

memory/3220-90-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

memory/3220-92-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

memory/3220-94-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

memory/3220-96-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

memory/3220-98-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

memory/3220-100-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

memory/3220-102-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

memory/3220-104-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

memory/3220-106-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

memory/3220-109-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

memory/4960-110-0x0000000002730000-0x00000000027CA000-memory.dmp

memory/4636-113-0x0000000077440000-0x0000000077530000-memory.dmp

memory/4636-120-0x00000000087F0000-0x0000000008856000-memory.dmp

memory/3220-122-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

memory/4764-121-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3220-125-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

memory/4764-126-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4764-119-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4636-116-0x0000000077440000-0x0000000077530000-memory.dmp

memory/3220-115-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

memory/3220-128-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

memory/4636-112-0x0000000077440000-0x0000000077530000-memory.dmp

memory/3220-130-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

memory/3220-132-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

memory/3220-134-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

memory/3220-136-0x000001C9B8F80000-0x000001C9B90AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\32D8.exe

MD5 942b38f4ecbbc7cfdc166df495ac9625
SHA1 9b55c4b32871607d4dafc1adf2aa52009b967cae
SHA256 949528d78afb830931ae10113469d7590f9254ba02e75f19d2ecd248f2346376
SHA512 c82ecd64df1f35d8494ccf72f51ddff2a022bfeaa8612397b8a8821d4a9816f282e5cab22a4fc46fcc9e8509c36632d78e9249ce96ef6debf5e3c22c8af87732

C:\Users\Admin\AppData\Local\Temp\32D8.exe

MD5 5f8ee3ea47fc457469c96a9041ad6ef0
SHA1 6123ca110e4874b9d00bae0f033842e4382df6c8
SHA256 bdfa358d6c45481816831d38823f3dd3711b1fb0c600bc1517809a0ca558abe6
SHA512 e7380797390395e83c9e3a6cdf30c1e50ba27650308380bb60dd881afec203ca1e571f6c329108cb5e2932e5cca94427d88cfc8ffa4ce2d7996cf642dbc0cf6b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ot2Cu80.exe

MD5 051e997b5892d2380022416dccb22b99
SHA1 5638241543d97f310a172724465d6a05545dbf88
SHA256 1b1751ada7ad3f6ecdbc7fb464573410d5d1bdbef1116e7528a4631b4d2e5f7f
SHA512 0872ad1e020f61949f985511f227013da5d39c799d373179cf716286954208fe5d611a0dfa71dfef183b06d424c089461577828e397f1915c387be9957056c91

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ot2Cu80.exe

MD5 2ba487225c8685d959324d78a8c630f8
SHA1 9c70d29ee3e3a502bd3af058fd5978c6c874988e
SHA256 cc92f73a4297e5eb85bc56213167d517882641317403a3fe7b73afcdeed0ed3d
SHA512 32ef6a0d37955e74be1feab5cf9801c83be45c4f77170561b998f0706c45ad6dc7e84872eb8b0f40576e776997687839caa0f66ca0ac0d630a85b891380061dd

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe

MD5 fa2038ca477b90166afdcac9cf792196
SHA1 a64e614f7094802c3e5029c95a98391eef5f5e7e
SHA256 7c96ec7bf84a38d548192c6a035a87d1ed3bb2e17ebc67776f47017961a5bc76
SHA512 063b819636b08e4bb9c557c90cc5e1ccee0fa1a4cb6dbd03fa1821811627053f1678cc1faca58d68486ff22a8377bdb09e7e05b669ba1f1a74e64acf8e2118d6

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Wh22aJ6.exe

MD5 3315e9dc77a4df9442eba74210937e15
SHA1 3cb2ff58d4a6ab5b5ee6e7f602c4dd8dc30af23b
SHA256 b4d6478376444b15fd1fafab1067915c586c6c6061429e2d005ec2acd8ec12bf
SHA512 3f990d7d7a7ec5d4872d4151cee30f0f8aec09520199542a5f79c2338f3f6eba227b2605eb1fffd749399161d41aea5332f9ca837f8cc1521803c5ec37640723

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 0d3103a8a7c2db8934e8d0f5e2d5d7be
SHA1 eced10f7f23f99e97f063be32511ac1f387e533e
SHA256 5faaa45547d60673f994de90033f6538a89b261b29e351b92e018b966cba74fc
SHA512 86378cd8c10cf542150edb91a8271c95c003a3cd9b2a6f8330b4ec7567f7c920bb38f336317da3f2262aaf901aec2dfeb2853dc355cb9f95b82f9a2b55a7875b

memory/4636-477-0x0000000077440000-0x0000000077530000-memory.dmp

memory/4636-481-0x0000000077440000-0x0000000077530000-memory.dmp

memory/4636-479-0x0000000077440000-0x0000000077530000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\grandUIAvb7dk1TzC5SgW\information.txt

MD5 bc0f8916f1e150b367a75c5d8ab826ac
SHA1 b7ecaa4fd9387f35fd28c6541793bc8a41dc1305
SHA256 0b26cf5621644b24fb726b96082b23f4be204a40a160bab7e49384a4798fa030
SHA512 27b61c1cad92d01ae880d8a5f4fef69971908d83f1d658e92a3540d60e534da81ffed966be2da6ea86dac0d593929dbd67ac8019e1efd4309214a46065a249e6

memory/4636-777-0x000000000A020000-0x000000000A070000-memory.dmp

memory/4636-895-0x0000000077440000-0x0000000077530000-memory.dmp

memory/4636-896-0x0000000077440000-0x0000000077530000-memory.dmp

memory/3220-1115-0x000001C9A08A0000-0x000001C9A08B0000-memory.dmp

memory/3220-1117-0x000001C9A0860000-0x000001C9A0861000-memory.dmp

memory/4636-1118-0x000000000A4B0000-0x000000000A672000-memory.dmp

memory/4636-1119-0x000000000ABB0000-0x000000000B0DC000-memory.dmp

memory/3220-1120-0x000001C9B90B0000-0x000001C9B917A000-memory.dmp

memory/3220-1121-0x000001C9B9180000-0x000001C9B91CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4qP694AX.exe

MD5 fd2fc77b9609101c0741e38b2c18e650
SHA1 e2c026bb23d9a555f5d154a6579f6c15f357308b
SHA256 371970513a1b2fd3dd6e6ee90ab86963121cf577ad2813530131c816c907fafc
SHA512 c255b9b15b3d197b50a02e243e938c33d6850f5136b6df4a454d8125470489f4aca32b565537aae772a37dd86521f54fd8c2f45255768824f54a488f8e81f431

memory/5064-1125-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21A0.exe

MD5 1c18a32e08edbf740cca2f9bc739c1dd
SHA1 b6412cc6d9784f54d8cb768c2755ec4e7a2d927c
SHA256 67f3a49e19c4c2bbc8b2aa3b8a401d98568baf8f6339c93e9c9434a06dd510dd
SHA512 5aa6b9c3857f9d981a645ec39ee06c5379f7ccf3030abc6f3e3f4030423c9204582c69e24811bff58b79121c67b21aaf7f5d43119f93242027d4841dfdcdecee

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\21A0.exe.log

MD5 bdd50fab193bb1a687efd2214c3ddd75
SHA1 2ed9874e543e755b7d7fb9f52fd687f2c287399f
SHA256 bfedba89a98eaff3bc2b9cabf01a9059f5a052e3849fb08f6fa00f845abc11e7
SHA512 318c4096b76cdb767ecc13ea9887098312140e2851c0a7b3e925d71bfc9ff03bc14bc8de9c3c38de39bc836368c0e29a09b9603d0769ebab4204895ae2f8c444

memory/1084-1130-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/1084-1132-0x00007FFCC0E90000-0x00007FFCC1951000-memory.dmp

memory/3220-1131-0x00007FFCC0E90000-0x00007FFCC1951000-memory.dmp

memory/1084-1134-0x0000027D187F0000-0x0000027D18800000-memory.dmp

memory/1084-1133-0x0000027D186D0000-0x0000027D187B4000-memory.dmp

memory/5064-1885-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Tk8hR5.exe

MD5 50dfe3a55b8bfd09df79709e49116b6d
SHA1 a4b0e4717e79fe6874c0235b4d1318198a555e97
SHA256 825a9bb10364ebb2817aa5a0ba56d439648508fcbcc9934cc5c86e5f2f3193a6
SHA512 375f15af8697ce0188cd46677b73dba761da8580bdcc980cd44d91f5bcfdeef4eecdc654250479a52d8986ce4608f53dc8e92818143125751363ca5a0b46a7c6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9757335dca53b623d3211674e1e5c0e3
SHA1 d66177f71ab5ed83fefece6042269b5b7cd06e72
SHA256 02f0348e2af36f2955efda1613dc6480f1c68c8e55f19590b7b58e9355c6a940
SHA512 f13351398f5dd5b6cf638b174dc50ddc782b690c6d4736d48941923a3425b5dff4a9aa0da22773e9abc9559d40f020f268018db902e0a7772b7b1f4d21126f21

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 99c6d53712238251500594400f272536
SHA1 bd5754ded42554644f0e2ff33665376433c43dad
SHA256 26849795cd609f44e4503f447139e99351287ff38edd7022d703c70119b82598
SHA512 585c1e4833560cdc87e3c79b7ad3cb449e7254c28a246eccc2f2ec9d205808b16ef5f55d155b421860f7d3d0a3bfea6ed6c1b9a7a31cf4070fde052710f58998

\??\pipe\LOCAL\crashpad_4856_KNVEJWFLAWPDZPUI

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7d0c2ddbba40616c6ac5ceb1cc10793e
SHA1 b1f76fd9003759b5fd56a97b354826f5525240ee
SHA256 401a6454fbd847f503904d6a5d0e18a6352ea10f512321e2082e43b98c1ddeaf
SHA512 93afc38e049e2883c0ea562407d71086bb0d7361377c7dd626a74fe1dac88e52647077f168dad4108111851992f00c767aa78d51efcc807601ee5429ba3e9643

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 429c2047d6e4cd725957037d5e5b2a03
SHA1 6b27fd8acf3a69a60a865f219cac530ebe096ab8
SHA256 3d5aa720f8aca76f1d73877deb818a693a34fcee92b7440371e41aea9d0cf420
SHA512 2849e5f8e1a5da56eaf452324cf760f53fc97948212b4b0158e110b8a011e1b26e60c66ad9117496e043562dbf2046da79da1999f497ddefaaed4b31958a85e5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 41047f6f2ab6f31e3d0d6458a6251741
SHA1 924bedb650e0d64e79d0dab7db148b3daffd31c7
SHA256 029973dd7e5c10e41d6dd31b8e58806dd8b23ac15bd7dae7270382ddef32efca
SHA512 6506fdbcd72c2638813c64ab82e2a774a2cfb91040c95f0dc9f514fc5384dce67ecb9258dd65a5f2f290c53e6dada10e317b81df58b5cbbe466e2fb59c6b40b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e147c920814fa1d82cd36870dbbf8c88
SHA1 ede07a78508ba419a01c973e03a7e1c6bc711e76
SHA256 450356c97f2a0a4e3cdbf1f640ae06adbea001b15ab761d20f89aa2cdb001b83
SHA512 4160ea007278a87533f54754218a87992247388727c2c29539bf7af2a69c09d7b53809c7c7fd8ff9730e4a9fdb9c97b7d3fa2268476031ab808ac08349fe1ade

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 24710ed5626fab48f803c6829e613025
SHA1 f293c1a08005778e90e1987ef93f839c788f69ef
SHA256 86d6a592cbe1cc5a2e46858b8e8ae33c4df115970feb4750f0c7813d6caa9437
SHA512 4fb03c26abe886e051ed82f199dc72eae6c3a4a74685f5f931636893b325bbc78171134242ab2baef8de9347e47a74ccc02fd3edc82342a201dabd2cd001ad6f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 19b4113bd5d6c609c33f3c5c4fcd824d
SHA1 45ac55d79a19ece3a8298802cb1aeb24388c5a07
SHA256 271140be872faa6edee20e454e04bb58d731c094f65d0fb63bb58d554f7f2069
SHA512 6c64cd6b134ca060a402596175ff10439a02e4f7fbae30ab0b5d9e0acb50d8a9376df2a4df21af76e01163d3445f614c8004698ebcf0f178516a03ab9ed9c7a8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bde1f605-5305-4c56-92bd-9723a4a56970.tmp

MD5 c0499655f74785ff5fb5b5abf5b2f488
SHA1 334f08bdb5d7564d1b11e543a2d431bd05b8bdd1
SHA256 6aa332a4d21802b2dbcd08e153764da60f538ceb0daaaaf7504ba8f67c08ef03
SHA512 5f0cec6dd823f2b3ac62017383dbbf71ed38893724312ec75e73fb197e0bcd5418bb70fdfe9150f5ca495d5f8547d8a08618bdacb5010514a3cb1101437d698e

memory/1084-3510-0x0000027D18970000-0x0000027D18978000-memory.dmp

memory/1084-3511-0x0000027D18980000-0x0000027D189D6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 bc46d75ed6f839e0b2df7acecbdd0204
SHA1 341feec6be67ebed3222fdc89bf38a847da072bd
SHA256 0d98856dd0810f693d519a26247675566ac82a0e0872c5d9725b6002bdbbcb61
SHA512 a914857a97c031d523e00e44ec08fcaa86919452877713de9cbe77880baf7bef69e32810e1e2b4940c899bc51d190b913876486cd0160e37a6809f6f02382446

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/1084-3559-0x0000027D18D70000-0x0000027D18DC4000-memory.dmp

memory/1084-3567-0x00007FFCC0E90000-0x00007FFCC1951000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

MD5 923a543cc619ea568f91b723d9fb1ef0
SHA1 6f4ade25559645c741d7327c6e16521e43d7e1f9
SHA256 bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd
SHA512 a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 909324d9c20060e3e73a7b5ff1f19dd8
SHA1 feea7790740db1e87419c8f5920859ea0234b76b
SHA256 dfc749d2afefe484d9aa9f8f06d461ad104a0ca9b75b46abfaaddda64a5e9278
SHA512 b64d2dce1f9a185fbb8a32adc1ff402d8045d379600bf3f9154bbde18303610f18af9fce258442db1e621ecf10b77aafe99cffedfcbe2a1490056c50cc42d0f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 d55250dc737ef207ba326220fff903d1
SHA1 cbdc4af13a2ca8219d5c0b13d2c091a4234347c6
SHA256 d3e913618a52fe57ab4320e62a5ace58a699d6bce8187164e198abe3279726fd
SHA512 13adff61e2cfa25dc535eba9d63209b7e7e9bd29fc4d6c868b057df7f680aa66ef5783a0e82a8367185debf7f6fe5bae89adc0770daff5317d2e16db5ad3ab39

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 537af95fefb54fbb31b5de0a372e9f3d
SHA1 cac6114a3bbfba109daca360b0d345e00a47151a
SHA256 733879e783dd713a55070840b9c75c5889a533b2e23ede8e5a9a4939d58e01fc
SHA512 1a2ba8601d01ffe9427f2f302073bcc80d1fed1eb5f2e3a6e742dda914a283ed8db57ef26e1bd963869fdef14a89ecb2ccd6cdd68f8bbf783f7fef9749dfbf1a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 08a092047aea77fd3fe038ce1c9b8f9c
SHA1 c53e9ea6c9db3df2b33b748e0f2b9a130a23ccdd
SHA256 0f2192fb00a8b47834505ab61ebbe5e7b31f8f4aed026afb9a316847bbece6bc
SHA512 40cb9ad193c298c28ac8f6e349afda16358f660fd8d18a0e5963c30bcd8db7f3cd99815fc3394248128eab0345a50b54ba215c724944614038ff29e74d49f93a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58cf13.TMP

MD5 a94d4c91dc3e84be7fe57260680f5c8f
SHA1 f4026d211479b15e33f2f8e1dfb567f340fb9c33
SHA256 2aca57bce2293e701d027979b6cf45dcbd2695b75dc8132bf98dce62f5f81a3d
SHA512 83fd793f77400d4c2cd1e241b9ad49975138ae3d5cf2a8591beb2e9a7adfb99ce40f769328cffef2f624d5686651de98bcac3443dccb40f73ca881c7d8cc0f08

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

MD5 b3ba9decc3bb52ed5cca8158e05928a9
SHA1 19d045a3fbccbf788a29a4dba443d9ccf5a12fb0
SHA256 8bd1b2afcbe2fa046b0937197f1b2f393ef821ff89331f99754b9006f0114df4
SHA512 86a86d370e96fa29c0c1d12991c2287936b400830869ff7b5abe4de6f32db2df782b626d724496cd6de27f8cbd32101ba34cbcd4c650ef11afa26bc048d68529

memory/4636-3815-0x0000000077440000-0x0000000077530000-memory.dmp

memory/4636-3825-0x0000000000D00000-0x0000000001684000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 6019548dd41f9dc925d498057e6335c8
SHA1 2867e305501b9172c52dc27b9bc1baf2a8be95c8
SHA256 26a88df8e99489df701ccf3dd46e9773765ef8f4a9f3fcdac1541b6e75b7199a
SHA512 84593009d04609474e88e280cb51eed640ff2e0bc6272c3ee25ba384f2d16e648782c0eae49deb561175032970ff2ffce96db10b94c5ca96ffc2bbe06e60dec9

memory/6956-3927-0x0000000002B80000-0x0000000002BBC000-memory.dmp

memory/6956-3928-0x0000000074AD0000-0x0000000075280000-memory.dmp

memory/6956-3929-0x00000000079C0000-0x00000000079D0000-memory.dmp

memory/6956-3930-0x000000000A810000-0x000000000A85C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 f2dfab980f71e4e2a75cf6d41ad32593
SHA1 4a068601fe62fae019c9a2cbd7a42bffd2feed76
SHA256 c1b4b8117382f88e27593f667d8f242b035fc54a283fde311112c4074ac3f68e
SHA512 2557c2f6eeb17c949d049780e931a73d5166730f0a68d878685b6e4801881f53a8e73ecf73c77d392166edb8113123df4caebd2f9e9501d7ddffd4bc405e12e7

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 77471d919a5e2151fb49f37c315af514
SHA1 0687047ed80aa348bdc1657731f21181995b654c
SHA256 52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1
SHA512 6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 6a9698454c816b4551acc22661d3d32e
SHA1 5e8792731341871e8dae265a6d4b6f91b90cebe0
SHA256 b0cc719b8c585ce1b9b11e0a5d2a2165352a374183b1c6d18b1d14f4ab0ba323
SHA512 2e24ae4ea24e3fefa4f8739a39d76ada880cf6cbc17d26e5ccaf9271fb6dbd0adfe7cf1f5246b24000995afedd1501266c9cb48f3f6e7dbd57eb0bb97eb03f63

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 f673b327203f45d0c12815e59a175ced
SHA1 105c6133f8d4d05dd44ccbf2214210b2eb45be95
SHA256 70b4a85c674d6b17bfd114b2b97adafcb07ba97586b62d59bde8ad179d3d9be8
SHA512 de74814594a5405603ff38b3377ae84d1bf3c2bd7d737fa0160c6e4f45e27058de75115fba468ca0f3f7ab01ffa66689d193af29c451d3684bfbf925f62510e9

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 a71d6775f09792525cf81858cc028f9b
SHA1 092fc2b527818b0b450d172a687c8b3dd866e64a
SHA256 e5fd38881f2a4242c8c200615e1ac32aaf65130b4cd32a1b2fa1bf8749f631eb
SHA512 29e6b61f221e3965ca90b7717ac86e832be23a539b8a9d44a20227f9fabedf3b6c2d569552ea190339a74d9eedd37715090832d1019d4f37e4050276437303ac