Malware Analysis Report

2025-01-02 03:48

Sample ID 231211-gaznhaedgp
Target 5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30
SHA256 5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30
Tags
dcrat djvu privateloader risepro smokeloader zgrat up3 backdoor paypal collection discovery evasion infostealer loader persistence phishing ransomware rat spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30

Threat Level: Known bad

The file 5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30 was found to be: Known bad.

Malicious Activity Summary

dcrat djvu privateloader risepro smokeloader zgrat up3 backdoor paypal collection discovery evasion infostealer loader persistence phishing ransomware rat spyware stealer themida trojan

PrivateLoader

Detected Djvu ransomware

Djvu Ransomware

Detect ZGRat V1

RisePro

ZGRat

SmokeLoader

DcRat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies file permissions

Executes dropped EXE

Checks BIOS information in registry

Reads user/profile data of web browsers

Themida packer

Drops startup file

Deletes itself

Reads user/profile data of local email clients

Checks computer location settings

Checks installed software on the system

Checks whether UAC is enabled

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

Detected potential entity reuse from brand paypal.

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Enumerates system info in registry

outlook_office_path

Checks SCSI registry key(s)

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

outlook_win_path

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 05:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 05:36

Reported

2023-12-11 05:39

Platform

win10v2004-20231130-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30.exe"

Signatures

DcRat

rat infostealer dcrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

PrivateLoader

loader privateloader

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\B23B.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\B23B.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\B23B.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\EDCE.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jo27pP0.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jo27pP0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jo27pP0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jo27pP0.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6870eade-f647-4036-88e1-85ac95f64954\\EDCE.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\EDCE.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7530.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VQ0UI88.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jo27pP0.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\B23B.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Detected potential entity reuse from brand paypal.

phishing paypal

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jo27pP0.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jo27pP0.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jo27pP0.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jo27pP0.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\B23B.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ZL153hk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ZL153hk.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ZL153hk.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jo27pP0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jo27pP0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\B23B.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C05.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C05.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\AceFlags\cxnffrqe\ContextProperties.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\AceFlags\cxnffrqe\ContextProperties.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6iD6by7.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6iD6by7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6iD6by7.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6iD6by7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6iD6by7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6iD6by7.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6iD6by7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6iD6by7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6iD6by7.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6iD6by7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6iD6by7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6iD6by7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4672 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30.exe C:\Users\Admin\AppData\Local\Temp\5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30.exe
PID 4672 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30.exe C:\Users\Admin\AppData\Local\Temp\5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30.exe
PID 4672 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30.exe C:\Users\Admin\AppData\Local\Temp\5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30.exe
PID 4672 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30.exe C:\Users\Admin\AppData\Local\Temp\5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30.exe
PID 4672 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30.exe C:\Users\Admin\AppData\Local\Temp\5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30.exe
PID 4672 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30.exe C:\Users\Admin\AppData\Local\Temp\5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30.exe
PID 3276 wrote to memory of 3500 N/A N/A C:\Windows\system32\cmd.exe
PID 3276 wrote to memory of 3500 N/A N/A C:\Windows\system32\cmd.exe
PID 3500 wrote to memory of 1180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3500 wrote to memory of 1180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3276 wrote to memory of 2468 N/A N/A C:\Windows\system32\cmd.exe
PID 3276 wrote to memory of 2468 N/A N/A C:\Windows\system32\cmd.exe
PID 2468 wrote to memory of 992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2468 wrote to memory of 992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3276 wrote to memory of 2796 N/A N/A C:\Users\Admin\AppData\Local\Temp\B23B.exe
PID 3276 wrote to memory of 2796 N/A N/A C:\Users\Admin\AppData\Local\Temp\B23B.exe
PID 3276 wrote to memory of 2796 N/A N/A C:\Users\Admin\AppData\Local\Temp\B23B.exe
PID 3276 wrote to memory of 1912 N/A N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 3276 wrote to memory of 1912 N/A N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 3276 wrote to memory of 1912 N/A N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 1912 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 1912 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 1912 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 1912 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 1912 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 1912 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 1912 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 1912 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 1912 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 1912 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 1008 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Windows\SysWOW64\icacls.exe
PID 1008 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Windows\SysWOW64\icacls.exe
PID 1008 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Windows\SysWOW64\icacls.exe
PID 1008 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 1008 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 1008 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 3808 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 3808 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 3808 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 3808 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 3808 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 3808 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 3808 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 3808 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 3808 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 3808 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\EDCE.exe C:\Users\Admin\AppData\Local\Temp\EDCE.exe
PID 3276 wrote to memory of 3160 N/A N/A C:\Users\Admin\AppData\Local\Temp\C05.exe
PID 3276 wrote to memory of 3160 N/A N/A C:\Users\Admin\AppData\Local\Temp\C05.exe
PID 3160 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\C05.exe C:\Users\Admin\AppData\Local\Temp\C05.exe
PID 3160 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\C05.exe C:\Users\Admin\AppData\Local\Temp\C05.exe
PID 3160 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\C05.exe C:\Users\Admin\AppData\Local\Temp\C05.exe
PID 3160 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\C05.exe C:\Users\Admin\AppData\Local\Temp\C05.exe
PID 3160 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\C05.exe C:\Users\Admin\AppData\Local\Temp\C05.exe
PID 3160 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\C05.exe C:\Users\Admin\AppData\Local\Temp\C05.exe
PID 3276 wrote to memory of 4752 N/A N/A C:\Users\Admin\AppData\Local\Temp\7530.exe
PID 3276 wrote to memory of 4752 N/A N/A C:\Users\Admin\AppData\Local\Temp\7530.exe
PID 3276 wrote to memory of 4752 N/A N/A C:\Users\Admin\AppData\Local\Temp\7530.exe
PID 4752 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\7530.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VQ0UI88.exe
PID 4752 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\7530.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VQ0UI88.exe
PID 4752 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\7530.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VQ0UI88.exe
PID 2316 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VQ0UI88.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jo27pP0.exe
PID 2316 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VQ0UI88.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jo27pP0.exe
PID 2316 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VQ0UI88.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jo27pP0.exe
PID 2944 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jo27pP0.exe C:\Windows\SysWOW64\schtasks.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jo27pP0.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1791582586-1997866593-3795608343-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jo27pP0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30.exe

"C:\Users\Admin\AppData\Local\Temp\5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30.exe"

C:\Users\Admin\AppData\Local\Temp\5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30.exe

"C:\Users\Admin\AppData\Local\Temp\5d4401138edc349b7769ef19c84ca6743afc238cfaeae010d4d52c03ea9c2b30.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2864 -ip 2864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 328

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A50A.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A78B.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\B23B.exe

C:\Users\Admin\AppData\Local\Temp\B23B.exe

C:\Users\Admin\AppData\Local\Temp\EDCE.exe

C:\Users\Admin\AppData\Local\Temp\EDCE.exe

C:\Users\Admin\AppData\Local\Temp\EDCE.exe

C:\Users\Admin\AppData\Local\Temp\EDCE.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\6870eade-f647-4036-88e1-85ac95f64954" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\EDCE.exe

"C:\Users\Admin\AppData\Local\Temp\EDCE.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 64 -ip 64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 584

C:\Users\Admin\AppData\Local\Temp\EDCE.exe

"C:\Users\Admin\AppData\Local\Temp\EDCE.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\C05.exe

C:\Users\Admin\AppData\Local\Temp\C05.exe

C:\Users\Admin\AppData\Local\Temp\C05.exe

C:\Users\Admin\AppData\Local\Temp\C05.exe

C:\Users\Admin\AppData\Local\Temp\7530.exe

C:\Users\Admin\AppData\Local\Temp\7530.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VQ0UI88.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VQ0UI88.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jo27pP0.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jo27pP0.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2944 -ip 2944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2944 -s 1732

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ZL153hk.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ZL153hk.exe

C:\Users\Admin\AppData\Local\AceFlags\cxnffrqe\ContextProperties.exe

C:\Users\Admin\AppData\Local\AceFlags\cxnffrqe\ContextProperties.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6iD6by7.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6iD6by7.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffaea5646f8,0x7ffaea564708,0x7ffaea564718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffaea5646f8,0x7ffaea564708,0x7ffaea564718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffaea5646f8,0x7ffaea564708,0x7ffaea564718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffaea5646f8,0x7ffaea564708,0x7ffaea564718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffaea5646f8,0x7ffaea564708,0x7ffaea564718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,1361401434044346802,11323786640733328730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,1361401434044346802,11323786640733328730,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,13727383071021235971,15641408511187193809,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,13727383071021235971,15641408511187193809,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,1361401434044346802,11323786640733328730,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1361401434044346802,11323786640733328730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1361401434044346802,11323786640733328730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffaea5646f8,0x7ffaea564708,0x7ffaea564718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1361401434044346802,11323786640733328730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,5463207351824250253,16211448744621229263,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,16482193540426583309,1375968163661731941,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1361401434044346802,11323786640733328730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1361401434044346802,11323786640733328730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1361401434044346802,11323786640733328730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffaea5646f8,0x7ffaea564708,0x7ffaea564718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1556,7076753147997694367,3804374594757010022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1361401434044346802,11323786640733328730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffaea5646f8,0x7ffaea564708,0x7ffaea564718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1361401434044346802,11323786640733328730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffaea5646f8,0x7ffaea564708,0x7ffaea564718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1361401434044346802,11323786640733328730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1361401434044346802,11323786640733328730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffaea5646f8,0x7ffaea564708,0x7ffaea564718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1361401434044346802,11323786640733328730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1361401434044346802,11323786640733328730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1361401434044346802,11323786640733328730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1

C:\Users\Admin\AppData\Local\AceFlags\cxnffrqe\ContextProperties.exe

C:\Users\Admin\AppData\Local\AceFlags\cxnffrqe\ContextProperties.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1361401434044346802,11323786640733328730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1361401434044346802,11323786640733328730,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7088 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1361401434044346802,11323786640733328730,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1361401434044346802,11323786640733328730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,1361401434044346802,11323786640733328730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8052 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,1361401434044346802,11323786640733328730,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8052 /prefetch:8

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\982.exe

C:\Users\Admin\AppData\Local\Temp\982.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,1361401434044346802,11323786640733328730,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2284 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 24.52.193.212.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 edarululoom.com udp
US 172.67.167.33:443 edarululoom.com tcp
US 8.8.8.8:53 33.167.67.172.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 brusuax.com udp
KR 175.119.10.231:80 brusuax.com tcp
US 38.47.221.193:34368 tcp
US 8.8.8.8:53 231.10.119.175.in-addr.arpa udp
US 8.8.8.8:53 193.221.47.38.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 220.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 185.196.8.238:80 185.196.8.238 tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
BG 91.92.243.247:80 tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 109.107.182.45:80 109.107.182.45 tcp
US 8.8.8.8:53 45.182.107.109.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
N/A 224.0.0.251:5353 udp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 51.132.233.193.in-addr.arpa udp
DE 144.76.136.153:443 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
RU 212.193.52.24:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
IE 163.70.147.35:443 www.facebook.com tcp
US 8.8.8.8:53 store.steampowered.com udp
BE 64.233.166.84:443 accounts.google.com tcp
US 92.123.241.50:443 store.steampowered.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
BE 64.233.166.84:443 accounts.google.com udp
US 8.8.8.8:53 twitter.com udp
US 104.244.42.65:443 twitter.com tcp
US 8.8.8.8:53 www.epicgames.com udp
US 18.210.105.79:443 www.epicgames.com tcp
US 8.8.8.8:53 50.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 84.166.233.64.in-addr.arpa udp
US 8.8.8.8:53 103.202.103.104.in-addr.arpa udp
US 8.8.8.8:53 65.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 www.youtube.com udp
US 18.210.105.79:443 www.epicgames.com tcp
FR 216.58.204.78:443 www.youtube.com tcp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 79.105.210.18.in-addr.arpa udp
US 8.8.8.8:53 35.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 151.101.1.21:443 www.paypal.com tcp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 29.92.85.52.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
FR 216.58.204.68:443 www.google.com tcp
FR 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 68.204.58.216.in-addr.arpa udp
FR 216.58.204.78:443 www.youtube.com udp
US 8.8.8.8:53 abs.twimg.com udp
US 8.8.8.8:53 api.x.com udp
US 8.8.8.8:53 api.twitter.com udp
US 8.8.8.8:53 i.ytimg.com udp
US 104.244.42.194:443 api.twitter.com tcp
US 104.18.37.14:443 api.x.com tcp
US 8.8.8.8:53 pbs.twimg.com udp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 video.twimg.com udp
US 8.8.8.8:53 t.co udp
US 192.229.220.133:443 video.twimg.com tcp
GB 199.232.56.159:443 pbs.twimg.com tcp
US 8.8.8.8:53 static.ads-twitter.com udp
GB 151.101.60.157:443 static.ads-twitter.com tcp
GB 142.250.179.246:443 i.ytimg.com tcp
US 104.244.42.133:443 t.co tcp
GB 142.250.200.42:443 tcp
US 8.8.8.8:53 157.60.101.151.in-addr.arpa udp
US 8.8.8.8:53 246.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 133.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 200.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
US 8.8.8.8:53 tracking.epicgames.com udp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
US 54.87.226.161:443 tracking.epicgames.com tcp
DE 52.85.92.12:443 static-assets-prod.unrealengine.com tcp
DE 52.85.92.12:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 23.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 12.92.85.52.in-addr.arpa udp
US 8.8.8.8:53 161.226.87.54.in-addr.arpa udp
US 8.8.8.8:53 www.paypalobjects.com udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 220.160.77.104.in-addr.arpa udp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 192.229.221.25:443 www.paypalobjects.com tcp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 facebook.com udp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.147.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 c.paypal.com udp
US 192.55.233.1:443 tcp
US 192.55.233.1:443 tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 sentry.io udp
US 35.186.247.156:443 sentry.io tcp

Files

memory/4672-1-0x0000000000A70000-0x0000000000B70000-memory.dmp

memory/4672-2-0x00000000009E0000-0x00000000009E9000-memory.dmp

memory/2864-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2864-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3276-5-0x0000000000E50000-0x0000000000E66000-memory.dmp

memory/2864-8-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A50A.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\B23B.exe

MD5 54d1e094fa3e829b47447afc9eff1ef4
SHA1 8012e9dc3993a52c8c8a20663de9a191c4aa48cf
SHA256 cdd1819b9e5e70a99e9729d961b3b3ea6483284a30e4898d4b843f4d14b5760f
SHA512 4d68ce8f09f81c71c7f04f26ceff20456846f5220dcd4a16adaec0b6a8d13cdea2bc9738c89ebb4e6059c55882f17cd7579480062d9f1d5a48b7ae22ee37c733

memory/2796-25-0x0000000000050000-0x0000000000B1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B23B.exe

MD5 7c22ec2a7e6af4211ed6d7ae7b975707
SHA1 226e18b2be0d9b255e4983791925d4257b195e2f
SHA256 05e30f95adccecb1c01d4dbe589c4e2526c62473c4403c41d7db4a6474832c66
SHA512 424b5ef844f2b26fd3a2b4aa9982317e7eda809c9678b8c71ce3a61da061dfdf2a2dc88b8041a014129632ba143c1d3049098e8739a991a3ef7e284e72de18d0

memory/2796-26-0x0000000076850000-0x0000000076940000-memory.dmp

memory/2796-28-0x0000000076850000-0x0000000076940000-memory.dmp

memory/2796-27-0x0000000076850000-0x0000000076940000-memory.dmp

memory/2796-30-0x0000000076850000-0x0000000076940000-memory.dmp

memory/2796-29-0x0000000076850000-0x0000000076940000-memory.dmp

memory/2796-31-0x0000000077E84000-0x0000000077E86000-memory.dmp

memory/2796-34-0x0000000000050000-0x0000000000B1A000-memory.dmp

memory/2796-36-0x0000000007990000-0x0000000007A22000-memory.dmp

memory/2796-35-0x0000000007E60000-0x0000000008404000-memory.dmp

memory/2796-37-0x0000000003110000-0x000000000311A000-memory.dmp

memory/2796-38-0x0000000008A30000-0x0000000009048000-memory.dmp

memory/2796-40-0x0000000007BB0000-0x0000000007BC2000-memory.dmp

memory/2796-41-0x0000000007D20000-0x0000000007D5C000-memory.dmp

memory/2796-39-0x0000000008520000-0x000000000862A000-memory.dmp

memory/2796-42-0x0000000007D60000-0x0000000007DAC000-memory.dmp

memory/2796-43-0x0000000008630000-0x0000000008696000-memory.dmp

memory/2796-44-0x0000000009680000-0x0000000009842000-memory.dmp

memory/2796-45-0x0000000009D80000-0x000000000A2AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EDCE.exe

MD5 908e9c3d18f933f25b2f26fa831819a0
SHA1 ea1c56a215a9629a84edf3c471a1ecdb463158c7
SHA256 30edec776547eb5a243187deaa679e29a2f15e90d647b885dc6bc499cc80b37b
SHA512 614e3fd9094b6ca8d910fa70f15337b9b97da70de85e0acbaaa49cfa3a40eee2b391bafee8be03f3357e949af6efe07f34caa95b66e609be513f286f43901275

C:\Users\Admin\AppData\Local\Temp\EDCE.exe

MD5 f0c6e98648332de5caf7a37c60ef591a
SHA1 f365ecab816590048265a9a41186fe025ea10e62
SHA256 2e196e2d7d26b420328a872fcf6c182426566eb92bf120206a753d2b7418f383
SHA512 d5b37a55468746f195d5e347bd1605c6d8c65d70a27b4cf9dd16cf6a6d6bd1633c7d6052ad479ac09886de88eb59827a3cddd86232209e0a8d596c7171d15945

memory/1008-52-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1912-58-0x0000000000B2C000-0x0000000000BBE000-memory.dmp

memory/1912-59-0x0000000002560000-0x000000000267B000-memory.dmp

memory/1008-63-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2796-62-0x0000000076850000-0x0000000076940000-memory.dmp

memory/2796-61-0x0000000076850000-0x0000000076940000-memory.dmp

memory/2796-60-0x0000000076850000-0x0000000076940000-memory.dmp

memory/1008-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2796-56-0x0000000076850000-0x0000000076940000-memory.dmp

memory/2796-55-0x0000000000050000-0x0000000000B1A000-memory.dmp

memory/1008-54-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EDCE.exe

MD5 20d24f98d302b52c05b6b5f2bd563b7e
SHA1 55d252bd977e6ffc7271ff317488b29b3d2e6896
SHA256 b8c0d5d8eb6cc92bc148f0a5e0dcf0a31c40f891cc8ad43979bf86f273574b7c
SHA512 13f2406fbc0439dcf1542741b46a5ca583738f587a664abdfdc2dfffee6ea6f78f0ce25857777fc8643c9048d249a10df480a23a02418016dfc141f9b5e155fd

C:\Users\Admin\AppData\Local\6870eade-f647-4036-88e1-85ac95f64954\EDCE.exe

MD5 5446fa386bfe7e836c795abe58ebf768
SHA1 6464491595cb73db1f40bbf7beba06b1f2f4c7e8
SHA256 607fa4d261c62dce196ea2f7f9035d0425599cea650f3b9367a5b62267213014
SHA512 5ed955db44a30e136129a315069f5bdf084d18596498f9a11d5c196bb1c5e8464c8031aa12bd8e50a02eef7ccc1db126a34fb8e53f96816a6d757cd09ab61d93

C:\Users\Admin\AppData\Local\Temp\EDCE.exe

MD5 c040d1e1109b71dbdf93cbff3c92c2fb
SHA1 f715ea48486468b90ae45d46b856bf6999198a29
SHA256 ab9690e4103dbbebd8ad7f92d72815291264e6b2bb9663efa77ad378ef5362f5
SHA512 16e3d338f300aec72e40421051d40d3c038fe5edf339a2c506fc31bd23415384b46d3dd83803af343b9abe339d8657bb382769009002cae02cc82f0bada8afe4

memory/1008-73-0x0000000000400000-0x0000000000537000-memory.dmp

memory/64-80-0x0000000000400000-0x0000000000537000-memory.dmp

memory/64-83-0x0000000000400000-0x0000000000537000-memory.dmp

memory/64-81-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3808-78-0x0000000002490000-0x0000000002529000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EDCE.exe

MD5 2e691c7a499f0bc32f0ea6c454312970
SHA1 f2c23c22abc32e44b929d6a94ac585ea27c4fcbc
SHA256 9f15ea34533c4625d779a9e3f7e3f32ff2d9a9b48eda5fa8dc05fa249bafc433
SHA512 c855eb81328d09bb344d516b5fb06fe1bd9799506ec61389ef28ffefe38d0526cb97ed2bab3511f8fca29ab0e190b522f49928604e57d2a22888e7358f4f24cb

memory/2796-76-0x0000000076850000-0x0000000076940000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C05.exe

MD5 f65fa98884fb39a7fea113f8152ef174
SHA1 7d949db7197c15451a802f760245c06def588ea1
SHA256 1ba9547badec171a95393980ca6ea6385a4a914b8d90e96502e4a71084b56bce
SHA512 85e72b9d9f84b473a74f34ba4a004a75393ee577b0f0b039a3e323bb0fbde6d566a8c304bf2cff5b19d45020cc3f7f7062bcd2909d18a1d9880c08adbb082ac7

memory/3160-91-0x000001F8518F0000-0x000001F851A2A000-memory.dmp

memory/3160-93-0x00007FFAE82D0000-0x00007FFAE8D91000-memory.dmp

memory/3160-95-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-99-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-105-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-115-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-119-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-125-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-129-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-135-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-137-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-139-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-133-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-131-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-127-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-123-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-121-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-117-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-113-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-111-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-109-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-107-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-103-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-101-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-97-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-94-0x000001F86BE90000-0x000001F86BFBA000-memory.dmp

memory/3160-92-0x000001F86BE90000-0x000001F86BFC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C05.exe

MD5 5699c3f436378cdf73b97c15a708d0ea
SHA1 9ae9102b4bb79aac63e1f9d00a7260e7dd19c7d4
SHA256 7b4f6626c72b07523a9be0827f499b73b59203c245024c4c0f16659af834aadc
SHA512 e8814d5d108549e9b6d4fe9c327ce4bbcab8250541b30cb8b722651df873504504c00c048ff63786035a08a7acde717b144317ed0c9a14e214f00af2783d1324

memory/3160-1017-0x000001F851DB0000-0x000001F851DB1000-memory.dmp

memory/3160-1016-0x000001F86C010000-0x000001F86C020000-memory.dmp

memory/3160-1019-0x000001F86BFC0000-0x000001F86C00C000-memory.dmp

memory/3160-1018-0x000001F86C020000-0x000001F86C0EA000-memory.dmp

memory/2848-1024-0x0000000000400000-0x00000000004AA000-memory.dmp

memory/2848-1027-0x0000022BAD110000-0x0000022BAD1F4000-memory.dmp

memory/2848-1026-0x00007FFAE82D0000-0x00007FFAE8D91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\C05.exe.log

MD5 bdd50fab193bb1a687efd2214c3ddd75
SHA1 2ed9874e543e755b7d7fb9f52fd687f2c287399f
SHA256 bfedba89a98eaff3bc2b9cabf01a9059f5a052e3849fb08f6fa00f845abc11e7
SHA512 318c4096b76cdb767ecc13ea9887098312140e2851c0a7b3e925d71bfc9ff03bc14bc8de9c3c38de39bc836368c0e29a09b9603d0769ebab4204895ae2f8c444

memory/3160-1025-0x00007FFAE82D0000-0x00007FFAE8D91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C05.exe

MD5 525dbdd1a0aead9c0aafffbe55e5731a
SHA1 c706c1c81e02ea71aa1422383a4c2fb08e020947
SHA256 fc334517afec11c623c9b43f9cb70ddf52999cab8748ce51f7456089ca7f0afa
SHA512 aaec93e2b2c1fae30a522c9558f503906ee2e31c253149263806e392dff963ce5a77bace7a2037bba2ce31fcfc8945bbc31387fbfd64289941743f94e9a49bc7

memory/2848-3228-0x0000022BAD2F0000-0x0000022BAD346000-memory.dmp

memory/2848-3227-0x0000022B94870000-0x0000022B94878000-memory.dmp

memory/2848-3229-0x0000022BADF70000-0x0000022BADFC4000-memory.dmp

memory/2848-3231-0x00007FFAE82D0000-0x00007FFAE8D91000-memory.dmp

memory/2796-3233-0x0000000005430000-0x0000000005480000-memory.dmp

memory/2796-3237-0x0000000076850000-0x0000000076940000-memory.dmp

memory/2796-3236-0x0000000000050000-0x0000000000B1A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7530.exe

MD5 0433c3ae052ce6c58bbea85ee4d98d9f
SHA1 958cba2793f0b5122bfb458e73794a0cd2425f38
SHA256 9bdd1d7c4b42316cfd48ea5825e3c9db1ed5402fbb6b9857a9b52aae5905b290
SHA512 1e5919e730bac8e39e3f3763223f91f44832556b3d33388a38e2382031850f5e1abd9c447dadf796f3778133745493a0ad155cdb92c18bb5d872258977e7c72e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VQ0UI88.exe

MD5 6ea67c07136e87af5113156ff77ad290
SHA1 1bbb2f52360c11606be6addcd31ec14cbdd19812
SHA256 96da22ad62dfece411aa6fff4d5b79dd53f771ced99fe249887dfee9f1dd50db
SHA512 6b3bd19779ef5cb2426b5b2d55101d5c92a17c94b7db8d8330454b82a150a79ab093a4771cacdb5833c8f8789a3b82d47050539b6b56d253d5cde34cd9fa8408

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VQ0UI88.exe

MD5 69732a3e5af237a576e107068327169d
SHA1 aece8ad181e2b35db2cac93ed1b28ba85a3f3e32
SHA256 48a1dad6d0638e4586e315104a37a7e6334099792305e44693c99bad52b6acf8
SHA512 fc43a2e49b86246d1efd732abfd2ed27d74b4dfaa94c033f94effa726be041d33cd3c96eb59ca99857a7e04046b53159e8b8ea9514471693e9ec0454fbb91f6e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jo27pP0.exe

MD5 998e8b2cf5ea1a85b76225e5312e6351
SHA1 1a0a05e8cc174049ba02a6f2202266f544da0096
SHA256 f9b6823d4a5cd88c372eb5b59d088f36d65c3f7b5825b88a929bb874faa2872b
SHA512 cbb52497417e24d81b5f5f3a32ca28c10b3497c88b98afdc25b7c775a264aa43416ab82f4508844dc878a6553dbe4585b6931a4573f52f23f7cf172623519dcf

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Jo27pP0.exe

MD5 204fd879be5a629c5f7c74096fa3ef27
SHA1 a5c1091cda3c7fd3baf0d12ebf85c2d569a2fed8
SHA256 5a89042927389d7d59b0dff9847ce563342456c50b1e3f7976908ad73c84dc2d
SHA512 488b954b320ef85443ae810caf5d38f31b3afe29f83b72fc9eb3130f6e3b19e48b4cf149d1116faa138c2fa5a146faa9179cacb3a822e85e9ae4d3d651c99bd3

C:\Users\Admin\AppData\Local\Temp\7530.exe

MD5 4c041185d880a6b94795e70a75fc46af
SHA1 6c553c1a38a601d230f555cbaafe55908268e627
SHA256 cc01945409eb1f78216aaeaea52d1646e55e829d08429458b90ba3316f913472
SHA512 805cbfecc00186ecd4200083c6f4abeb9e26f1f139daf7b563bd1cec72d3f7fd7a072091191d740f50bc5dbe56100f4da8da28e90b7c7560abb73b6d5170c12e

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 22814a0a7ccefcf833870053c11c37a0
SHA1 0aacd19f4fc49b4f66b71bb65972576cd4047e21
SHA256 4277624332421b32c5cf6bb1e73b5306554520afc624d2a9ff0922a48f66eea4
SHA512 d66764d9cc91c85f527e19f870f4dfb1212a1b3904eabac269c5c78d66c0abdf58bf051e9007117afec268bd665a7eb0c7dedad5b7d4a8113b208c8789b33722

C:\Users\Admin\AppData\Local\Temp\grandUIAydQ0lKDqhXDD4\information.txt

MD5 108c789dee41b48be69b0832d3a547bd
SHA1 d8f9dffd6038f7fe4f53538bc10c8f13d520776c
SHA256 4ebea88661b35564b449dccf523228a34090e086b33cf4ba6d1411b199755036
SHA512 6bc56cac73171f3e7f022f2f6d31ee2f1f8b60d66fcba338deb1200f488b567e01ae53c86403c37eb9c3ac6f023527c0f58ea81c3690390686c27830141eb03d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4ZL153hk.exe

MD5 dd71f588fd828118b376c19e093d82c9
SHA1 9f27d27dec90d83e7b3520df8b7fdfe4a0ea5f13
SHA256 1096f473a415bdf60bdbac73c6576e175dff0dee28954161e762b0bdfe170c69
SHA512 d6857a3f2e8ecbb9646098c796fa34481e5e54a5b47c90825e52311464723defb1e902fb184c83d307755345c4e71ececeedcf425e8998374bdf85cf3e577fb8

memory/4592-3334-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\AceFlags\cxnffrqe\ContextProperties.exe

MD5 ab0443c4b5ae89cd913377183852ecb3
SHA1 23cf5fb65377cfe0af63adede50c50fb24dc32ab
SHA256 8252f99b0f6c26c5c6360c896b26d2acf273ec3c68cf2d883fce4727fe926237
SHA512 149ef11f5b394b29310bb43bac8dc7356fe08c8916359b85de8b05b6033c76cb3e230fcd7098bba9acaf7dfc4570aba479b6e9b05369043f1d24a7f5d78e7d7b

memory/4768-3341-0x00007FFAE82D0000-0x00007FFAE8D91000-memory.dmp

memory/4592-4069-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6iD6by7.exe

MD5 3117d9d77d09f9463a84cf0c5768f9ab
SHA1 f1d9d647e11876d948f1646f853dd7d9d06b4a88
SHA256 005391ccb3c0173c620b4247918fec2e3cb27767ef2ec3033e166092c3cef56f
SHA512 4721c7f0ea1a2932ae9658ac1fe33a0a4c207d04e6cd5506a2bd89b04ca1ec709093d30d93d7002452c29280d9b20b8f37020e22bc3cdde984a9112503b095c1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ae3f322db2ce5486f67f63ed1970430b
SHA1 eebcc22e1f1f217e9f5078d0f02575cbb78bc731
SHA256 296fd26e4db2fc68e1334ac6fc98cf92881c28cc2403a794b7062e8b4d7e5383
SHA512 856ca2456edb93baf561026ed21a738f7319c4d300bf272ad7e78e56418593569997e14145e518a04ec4a44fe85421c2d69768dde400f86dff076f3630466b3d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 330c53ed8d8829bd4caf2c392a894f6b
SHA1 dc4f3eea00d78949be4aded712fcbfe85e6b06a5
SHA256 bbca8b0343812fb9db9b3c59655a18772c7c40bc77f497b89067a82d5e4ce8a5
SHA512 37674d84e4ea2079e8fe9bc45b0ea8fd93ffc8d206547835e4211046ad310ba3e5a397cf444b17a4322f9513cbd91bd92c0b106776b879cb0388ca9386ebd44d

\??\pipe\LOCAL\crashpad_4956_JKBWKCVZWNNYMGWA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3aa9060ea52fd15528101837f6c37c07
SHA1 9c443e5036807943f3fa464f7979648c459e6d80
SHA256 fe9d0443a76cfa682d248f2204de23718c194dbcff35bcd4f97b567bf049d88b
SHA512 1ca6b4caee130c2907aa22174dbd6039868ececd4f640dd2fb55ab2e17ad9d4084b833fd2e5ed955545000dfe8c999588e247bab9dbe955cdd0dd477831e4f15

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7261307e9795b426d250baba3bc99813
SHA1 dbfc7f1ec0dd841b0880a4adb0bb5266816140a5
SHA256 551a150fad5d980890c8934d2cf50df2ea3edaf0568b44229f6b15cc12513804
SHA512 f03d7e9555ce980ed7590565fe5b3eece5d7299d93afb756b0f5cf58b2afce7267d6b92229e923419bfe0f201ab9995596e42369271fde48df9a7551cd809aef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c208098fbcd462d5b3993aff2c2b3dba
SHA1 2ca2d073faa1d51aad882326c23d7dedd4b86d39
SHA256 6b38a65041b756dba9f0a6e8fd5a6c1606c43303bac616b4ec8946a9e708d430
SHA512 e0b09a9e233ad5ac9d12fba58674156d64bbfd84b3168c5a0497651fd53891265764ce35cbeebbf585b1ea12fa37e8bfee221dead8ac0e312a8e9b22b125799f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 41047f6f2ab6f31e3d0d6458a6251741
SHA1 924bedb650e0d64e79d0dab7db148b3daffd31c7
SHA256 029973dd7e5c10e41d6dd31b8e58806dd8b23ac15bd7dae7270382ddef32efca
SHA512 6506fdbcd72c2638813c64ab82e2a774a2cfb91040c95f0dc9f514fc5384dce67ecb9258dd65a5f2f290c53e6dada10e317b81df58b5cbbe466e2fb59c6b40b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 096891f9dd035572e03bde238523213a
SHA1 c19043a68fceb17a14c3c344e443922600432cfe
SHA256 8539ac99a3fd76c509c7ac2bcde7184c5396e3b46bb20bc50a281052bc64f002
SHA512 8ce90ad7adabef49a448535e5c77423c71ed155bb54272653661a414bdeb593084497e8395d5deb54df6af3a61ff3452b893d17bcd24887c4897649f0931bdd1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7f568cbdca4791e7f893eaf465305f53
SHA1 1acc043c82d3941e7bf6299c1888cb5798a9e016
SHA256 793327b1b5e70fae163b0d65978f3f703e028743a319723e544407fd49505520
SHA512 5ce17731d9843aba61fd00fbce5c0359619260c621bbac9d441e9d3dae56d3b82ba1a4630cf98ce17a1396aa754118bc684e4d1c42a2b3460bd6ac9aea193801

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 aa91e53a5dd28f087386fc918d00dcda
SHA1 cfee1dd50b7642eb12de460ea3c1ea61b40dc2ea
SHA256 9c76482ddd4c7372ed30148a8d5289e18c01b562bec863580c4e93693dfbaf26
SHA512 d921db7990b210067ed83bd28fcc45b51eb292273a52aae12c9612d9bc69080c2b144e95be156b2b4c5e2dc4ad2ab70a1a7a862a6b6094485d043b897d18cc88

memory/4768-4421-0x0000025BB2080000-0x0000025BB2090000-memory.dmp

memory/4768-4422-0x0000025B97E70000-0x0000025B97E71000-memory.dmp

memory/6440-4427-0x00007FFAE82D0000-0x00007FFAE8D91000-memory.dmp

memory/6440-4428-0x000001E12C0E0000-0x000001E12C0F0000-memory.dmp

memory/4768-4429-0x00007FFAE82D0000-0x00007FFAE8D91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b96895d870a001b828c891f29149df9b
SHA1 ee6634983184de8bc4f337fbd794f2f1c4512a90
SHA256 d3b25f0bcf5690b454391c0f793764bcc919ff85e15b1fd0f376265d90d912d5
SHA512 e518653bbf6a2df259c460af1b9a1a402ede2bc03e3ed3465d4ccbe9da1560bc0840d8603a3769bfa2e009677227ff7324b2ef477464b3051d54a63b9e234fd3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4f36d59eaa7bf9e734b49f30b9b50112
SHA1 bda41753b0a88122f2941addf9a9687a977e46aa
SHA256 7158e3b7a3f0967eefff2313825788353171ea99788eda8137eb55e0c3874c6c
SHA512 adda34beb0b813f6197563415de66427118b23de42ee4a0a4b2694f03d5c51cc3811009c1b4a4e94ac6342e7c27b332bb4ab407f7766391e53b39b94012decda

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 642c1320fd78c859c77e459a2ce6b373
SHA1 9381494b4b82068a5ee6d144f93874c3c2e7a2ad
SHA256 a83b29b24ebf01b390239fc578d820ff596c2be395f86bb6f1b0868fca3dbef9
SHA512 891913c52311da6946a48c3034730b9e7c4c9ca1541fa477dadf8203b85ea4c8b7dd60b7c63eeea8b19716d71fc11777020a77a45270f2ab1e0109e2bc7ea083

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/6440-6799-0x000001E12C0E0000-0x000001E12C0F0000-memory.dmp

memory/6440-6800-0x000001E12C0E0000-0x000001E12C0F0000-memory.dmp

memory/4520-6801-0x00007FFAE82D0000-0x00007FFAE8D91000-memory.dmp

memory/6440-6802-0x00007FFAE82D0000-0x00007FFAE8D91000-memory.dmp

memory/4520-6803-0x0000017E4A500000-0x0000017E4A510000-memory.dmp

memory/4520-7747-0x0000017E4A4D0000-0x0000017E4A4D1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe591dee.TMP

MD5 725d5613193c10dddc2d79fab9baa2c3
SHA1 e28fc0cf24473cf91e12e677ec64bc7aa4ca76cb
SHA256 cba82db7c456f1a5cac54d295ba52c6e3d3b5ffb09d3b1170dd40912a05d1e80
SHA512 aea7d5108f9fa8398d0628c8b7e38abfcfe412d4da9a2db84c476bcc18d940df5e08adfd8d85ffed7358c6a8a96bb991c6b0855470bc7c4c9483642028de0a88

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 de0ad8b9ffc6f8df765efec1e44a83d6
SHA1 4f580ac1348657cfca5ef060a2bfc9f5f13db3ec
SHA256 f14cbc988be09625eb10795f047df8c14840626d374fe5d866f55c295455c4a9
SHA512 2b5aee30586e0672219ff18fe2a32835db618e89ed669c8d4bc822a4cd17409f2421dc3f30a52c0feade9d24a9ac8eb859583648c2993cdf470c2d26d8868acc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

MD5 923a543cc619ea568f91b723d9fb1ef0
SHA1 6f4ade25559645c741d7327c6e16521e43d7e1f9
SHA256 bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd
SHA512 a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

MD5 d55250dc737ef207ba326220fff903d1
SHA1 cbdc4af13a2ca8219d5c0b13d2c091a4234347c6
SHA256 d3e913618a52fe57ab4320e62a5ace58a699d6bce8187164e198abe3279726fd
SHA512 13adff61e2cfa25dc535eba9d63209b7e7e9bd29fc4d6c868b057df7f680aa66ef5783a0e82a8367185debf7f6fe5bae89adc0770daff5317d2e16db5ad3ab39

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

MD5 909324d9c20060e3e73a7b5ff1f19dd8
SHA1 feea7790740db1e87419c8f5920859ea0234b76b
SHA256 dfc749d2afefe484d9aa9f8f06d461ad104a0ca9b75b46abfaaddda64a5e9278
SHA512 b64d2dce1f9a185fbb8a32adc1ff402d8045d379600bf3f9154bbde18303610f18af9fce258442db1e621ecf10b77aafe99cffedfcbe2a1490056c50cc42d0f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8928417d8a5d658426b44a6176fefa53
SHA1 8f9263ea0a5f1c0a443c6ec410778b55596ca144
SHA256 1769a3420440f4da57ee0eacdd9fddc5b2873a31bef9fb19d3cf5e324085a99b
SHA512 9ecfa7dbd6040b44427764db1c2b2b6be8118abe109146c853b177c67c9f61908fa8a192b4ec166ca06921a5a91985628fe2aa88516b4f9fc011bf035355a72e