Analysis Overview
SHA256
b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b
Threat Level: Known bad
The file b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b was found to be: Known bad.
Malicious Activity Summary
RedLine payload
SmokeLoader
RisePro
RedLine
Glupteba
PrivateLoader
Glupteba payload
Modifies Windows Firewall
Downloads MZ/PE file
Reads user/profile data of local email clients
Executes dropped EXE
Loads dropped DLL
Drops startup file
Checks computer location settings
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Accesses Microsoft Outlook profiles
Checks installed software on the system
Adds Run key to start application
Looks up external IP address via web service
AutoIT Executable
Drops file in System32 directory
Detected potential entity reuse from brand paypal.
Drops file in Program Files directory
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Runs net.exe
Suspicious use of UnmapMainImage
Checks processor information in registry
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
outlook_office_path
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
outlook_win_path
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-11 20:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-11 20:04
Reported
2023-12-11 20:10
Platform
win10v2004-20231127-en
Max time kernel
124s
Max time network
158s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PrivateLoader
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7D78.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\433A.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oR3ny00.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kj3qv78.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detected potential entity reuse from brand paypal.
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Yg507bR.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Yg507bR.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Yg507bR.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Yg507bR.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-4VF07.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-R10B8.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-QB00S.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-VE1SH.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-KTIAS.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-VMR8P.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-L4RJF.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-DN4BI.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-IOM7M.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-AMTV8.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-7AVJV.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-9CKBO.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-GB62G.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-5U6LD.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\xrecode3\xrecode3.exe | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\install\is-E9QE0.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\stuff\is-EMFDM.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-I7LPP.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\stuff\is-TB1JC.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-68LU1.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-921R8.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-K9HU9.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-RIFTO.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-M009J.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-G4IHS.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-LVN4O.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-4MD4P.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-060SR.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-AAPBA.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\xrecode3\install\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-2EP7T.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-EJ3KS.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-3FCFE.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\plugins\internal\is-CBV6N.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-IM4MG.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\install\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-VP02G.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-AJO5N.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-5TIA4.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-LA0A1.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-18CFD.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-3G3GO.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-K60VS.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-AMMH4.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-EKEHI.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-ST408.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-30H61.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-93U0N.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-SOK5A.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-Q0LEG.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\plugins\internal\is-N6CRJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\is-L6VTK.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-GILUH.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-S1LQ0.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\lessmsi\is-1TGL1.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-UEOK3.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\stuff\is-ABIK1.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\stuff\is-SQUCK.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-C69QP.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-PMLJD.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-44TE7.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-3N5RC.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
| File created | C:\Program Files (x86)\xrecode3\bin\x86\is-4C3EN.tmp | C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nC48Vv.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nC48Vv.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nC48Vv.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nC48Vv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nC48Vv.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nC48Vv.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7D78.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Broom.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe
"C:\Users\Admin\AppData\Local\Temp\b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oR3ny00.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oR3ny00.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kj3qv78.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kj3qv78.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1756
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nC48Vv.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nC48Vv.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Yg507bR.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Yg507bR.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe6c3846f8,0x7ffe6c384708,0x7ffe6c384718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe6c3846f8,0x7ffe6c384708,0x7ffe6c384718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe6c3846f8,0x7ffe6c384708,0x7ffe6c384718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe6c3846f8,0x7ffe6c384708,0x7ffe6c384718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x174,0x178,0x17c,0x150,0x180,0x7ffe6c3846f8,0x7ffe6c384708,0x7ffe6c384718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe6c3846f8,0x7ffe6c384708,0x7ffe6c384718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe6c3846f8,0x7ffe6c384708,0x7ffe6c384718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,6988406033555240497,6448640512200022979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,6988406033555240497,6448640512200022979,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,2509557579768920895,6373054615465222226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe6c3846f8,0x7ffe6c384708,0x7ffe6c384718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,13982932822428225580,2298979103919275646,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4464 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,18311767221605042811,14462099257836302572,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,2764553708223062316,14479220405539518603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe6c3846f8,0x7ffe6c384708,0x7ffe6c384718
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x164,0x174,0x7ffe6c3846f8,0x7ffe6c384708,0x7ffe6c384718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7272 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7668 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7712 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8112 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8112 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7920 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8156 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\7D78.exe
C:\Users\Admin\AppData\Local\Temp\7D78.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8720 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8636 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe6c3846f8,0x7ffe6c384708,0x7ffe6c384718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4440 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3680 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3680 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\433A.exe
C:\Users\Admin\AppData\Local\Temp\433A.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp" /SL5="$202A2,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Query
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i
C:\Program Files (x86)\xrecode3\xrecode3.exe
"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s
C:\Windows\SysWOW64\net.exe
"C:\Windows\system32\net.exe" helpmsg 1
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C0F7.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C33A.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | www.epicgames.com | udp |
| GB | 157.240.221.35:443 | www.facebook.com | tcp |
| BE | 64.233.166.84:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 8.8.8.8:53 | store.steampowered.com | udp |
| US | 8.8.8.8:53 | 35.221.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.166.233.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.paypal.com | udp |
| US | 92.123.241.50:443 | store.steampowered.com | tcp |
| US | 151.101.1.21:443 | www.paypal.com | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.178.14:443 | www.youtube.com | tcp |
| US | 54.242.107.216:443 | www.epicgames.com | tcp |
| US | 54.242.107.216:443 | www.epicgames.com | tcp |
| US | 104.244.42.129:443 | twitter.com | tcp |
| US | 104.244.42.129:443 | twitter.com | tcp |
| US | 8.8.8.8:53 | 50.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.154.214.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.107.242.54.in-addr.arpa | udp |
| BE | 64.233.166.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | abs.twimg.com | udp |
| US | 8.8.8.8:53 | api.twitter.com | udp |
| US | 8.8.8.8:53 | api.x.com | udp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 104.244.42.66:443 | api.twitter.com | tcp |
| US | 8.8.8.8:53 | video.twimg.com | udp |
| US | 8.8.8.8:53 | t.co | udp |
| US | 172.64.150.242:443 | api.x.com | tcp |
| US | 8.8.8.8:53 | pbs.twimg.com | udp |
| GB | 199.232.56.158:443 | video.twimg.com | tcp |
| US | 104.244.42.197:443 | t.co | tcp |
| US | 93.184.220.70:443 | pbs.twimg.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| GB | 142.250.178.14:443 | www.youtube.com | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 172.217.169.22:443 | i.ytimg.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 8.8.8.8:53 | 129.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.10.230.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.21.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.56.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.150.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.ads-twitter.com | udp |
| US | 8.8.8.8:53 | tracking.epicgames.com | udp |
| US | 8.8.8.8:53 | static-assets-prod.unrealengine.com | udp |
| US | 52.203.30.102:443 | tracking.epicgames.com | tcp |
| US | 8.8.8.8:53 | community.akamai.steamstatic.com | udp |
| GB | 13.224.81.67:443 | static-assets-prod.unrealengine.com | tcp |
| GB | 13.224.81.67:443 | static-assets-prod.unrealengine.com | tcp |
| US | 8.8.8.8:53 | 70.220.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.200.250.142.in-addr.arpa | udp |
| GB | 13.224.81.67:443 | static-assets-prod.unrealengine.com | tcp |
| US | 199.232.168.157:443 | static.ads-twitter.com | tcp |
| US | 199.232.168.157:443 | static.ads-twitter.com | tcp |
| US | 8.8.8.8:53 | www.paypalobjects.com | udp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| US | 8.8.8.8:53 | 102.30.203.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.81.224.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| GB | 104.77.160.220:443 | community.akamai.steamstatic.com | tcp |
| GB | 104.77.160.220:443 | community.akamai.steamstatic.com | tcp |
| GB | 104.77.160.220:443 | community.akamai.steamstatic.com | tcp |
| GB | 104.77.160.220:443 | community.akamai.steamstatic.com | tcp |
| US | 192.229.221.25:443 | www.paypalobjects.com | tcp |
| GB | 104.77.160.220:443 | community.akamai.steamstatic.com | tcp |
| GB | 104.77.160.220:443 | community.akamai.steamstatic.com | tcp |
| US | 8.8.8.8:53 | 220.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.168.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| FR | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | store.akamai.steamstatic.com | udp |
| FR | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 68.204.58.216.in-addr.arpa | udp |
| GB | 104.77.160.220:443 | store.akamai.steamstatic.com | tcp |
| GB | 104.77.160.220:443 | store.akamai.steamstatic.com | tcp |
| GB | 104.77.160.220:443 | store.akamai.steamstatic.com | tcp |
| US | 8.8.8.8:53 | www.recaptcha.net | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| GB | 142.250.200.3:443 | www.recaptcha.net | tcp |
| US | 8.8.8.8:53 | c.paypal.com | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 192.55.233.1:443 | tcp | |
| GB | 142.250.200.3:443 | www.recaptcha.net | udp |
| US | 192.55.233.1:443 | tcp | |
| IE | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| IE | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 23.147.70.163.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| FR | 216.58.204.68:443 | www.google.com | udp |
| GB | 104.77.160.220:443 | store.akamai.steamstatic.com | tcp |
| GB | 104.77.160.220:443 | store.akamai.steamstatic.com | tcp |
| GB | 104.77.160.220:443 | store.akamai.steamstatic.com | tcp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| IE | 163.70.147.35:443 | facebook.com | tcp |
| IE | 163.70.147.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| US | 8.8.8.8:53 | t.paypal.com | udp |
| US | 8.8.8.8:53 | 35.147.70.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | b.stats.paypal.com | udp |
| US | 64.4.245.84:443 | b.stats.paypal.com | tcp |
| IE | 163.70.147.35:443 | fbcdn.net | tcp |
| US | 151.101.1.35:443 | t.paypal.com | tcp |
| US | 151.101.1.35:443 | t.paypal.com | tcp |
| US | 8.8.8.8:53 | 84.245.4.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| US | 8.8.8.8:53 | dub.stats.paypal.com | udp |
| US | 64.4.245.84:443 | dub.stats.paypal.com | tcp |
| US | 104.244.42.66:443 | api.twitter.com | tcp |
| US | 104.244.42.66:443 | api.twitter.com | tcp |
| US | 8.8.8.8:53 | 35.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c6.paypal.com | udp |
| US | 151.101.1.35:443 | c6.paypal.com | tcp |
| US | 151.101.1.35:443 | c6.paypal.com | tcp |
| US | 8.8.8.8:53 | sentry.io | udp |
| US | 35.186.247.156:443 | sentry.io | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | login.steampowered.com | udp |
| US | 8.8.8.8:53 | 156.247.186.35.in-addr.arpa | udp |
| GB | 13.224.81.67:443 | static-assets-prod.unrealengine.com | tcp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| GB | 23.214.154.77:443 | login.steampowered.com | tcp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| GB | 23.214.154.77:443 | login.steampowered.com | tcp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| GB | 104.77.160.220:443 | store.akamai.steamstatic.com | tcp |
| GB | 104.77.160.220:443 | store.akamai.steamstatic.com | tcp |
| GB | 104.77.160.220:443 | store.akamai.steamstatic.com | tcp |
| GB | 104.77.160.220:443 | store.akamai.steamstatic.com | tcp |
| US | 8.8.8.8:53 | api.steampowered.com | udp |
| GB | 104.77.160.220:443 | store.akamai.steamstatic.com | tcp |
| US | 35.186.247.156:443 | sentry.io | udp |
| GB | 23.214.154.77:443 | api.steampowered.com | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | talon-website-prod.ecosec.on.epicgames.com | udp |
| US | 172.64.146.120:443 | talon-website-prod.ecosec.on.epicgames.com | tcp |
| US | 172.64.146.120:443 | talon-website-prod.ecosec.on.epicgames.com | tcp |
| US | 8.8.8.8:53 | 120.146.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | talon-service-prod.ecosec.on.epicgames.com | udp |
| US | 104.18.41.136:443 | talon-service-prod.ecosec.on.epicgames.com | tcp |
| US | 104.18.41.136:443 | talon-service-prod.ecosec.on.epicgames.com | tcp |
| US | 8.8.8.8:53 | 136.41.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | js.hcaptcha.com | udp |
| US | 104.19.218.90:443 | js.hcaptcha.com | tcp |
| US | 8.8.8.8:53 | newassets.hcaptcha.com | udp |
| US | 8.8.8.8:53 | 90.218.19.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.hcaptcha.com | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 8.8.8.8:53 | 87.132.105.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0a9af243-8fd1-48f1-8e0c-7063d05905be.uuid.myfastupdate.org | udp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 24.52.193.212.in-addr.arpa | udp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| RU | 212.193.52.24:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | edarululoom.com | udp |
| US | 104.21.42.224:443 | edarululoom.com | tcp |
| US | 8.8.8.8:53 | 224.42.21.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oR3ny00.exe
| MD5 | aa0463911372af33b434c9d204b15f64 |
| SHA1 | 35c55555c532c2bf7c9759eef5203ef997fc2605 |
| SHA256 | 37242cde1eaddbce780c119e10d981a32bb545213368219e1d92c06bef9aaaa7 |
| SHA512 | 6871d81fcef63a406feed362d56efd24ee638d9a84d0242d6665a63d63234cdd164c50878d76f41623917302a54818f9a8aa722f5e5087bd201dd701b2cbf790 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kj3qv78.exe
| MD5 | 1f11da83022d54f32498aa927af66f9e |
| SHA1 | 96ddd2101b82d98b63d83e8b22709571a5ce6814 |
| SHA256 | 7c0aed8b9c8d11a93ec16b198d2d3ec7de5b143173e1a66a27c412070fdd0e3c |
| SHA512 | 618516734c69fc2cae1270a923993795943667c26b19c6730a2aa6c932de66e0787352926a8e3ec203864d3a630c81576703a5bdcf72dfc9997b2d86fe7c197c |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe
| MD5 | 34ed5c1d6025faea6589b6ffe8a6cbfe |
| SHA1 | dc4ce914fde07e1498baa71b22641262fdfd75d1 |
| SHA256 | f940673a1d027ad343e8532b4215a4de8ada801bcd9d3ac2f449c8d9ff8d889e |
| SHA512 | 3bd237fe5538c4b7183d025a4d9433a80627dc887fb9117a0a5bbe755e8cec38d85435d67e8b02de21bfba217eae518614bb46eb3bb0fa8ddfc9b137164c4c57 |
memory/4404-22-0x0000000002560000-0x000000000262C000-memory.dmp
memory/4404-23-0x00000000026E0000-0x0000000002875000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
| MD5 | 1a7e5fd7e00e85d5e4d5fc7ebc94459d |
| SHA1 | e379ea9f462f9208ad1cd8495738e0e35e1f6eee |
| SHA256 | a5e8dd1ec672a7bcc618b107df8bf169782bb270249273d4b1ede3bb3ed840f0 |
| SHA512 | 2af4386c57682cef1aad6b94a0a319b467a8984616fbff452985a3b083d57e31cbaf70e2d2f247ad52160ceea2220d1934d255684200dc2119ae32801f533686 |
memory/4404-32-0x0000000000400000-0x0000000000908000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\grandUIAMeKqIkURe8cc7\information.txt
| MD5 | f88842b2caf70fd4d21f38ed0d5038a1 |
| SHA1 | d1231fd1a1d246772d9109f7fc4edc624ad86881 |
| SHA256 | cb1a3c9ba7ef196e304003e126793a7ab02443a0c77923dcff238e26eade800a |
| SHA512 | 9434adf7525166a191bb0e1c02e3d4eaa08657aec13797336c28fb7decde42ff24e46545db0d0dcbfaf66987148d1f6afbeb3d8a122a984b1da3142b4b25ffbf |
memory/4404-101-0x0000000000400000-0x0000000000908000-memory.dmp
memory/4404-102-0x0000000002560000-0x000000000262C000-memory.dmp
memory/4404-103-0x0000000000400000-0x0000000000908000-memory.dmp
memory/4404-105-0x00000000026E0000-0x0000000002875000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nC48Vv.exe
| MD5 | 3d225e1e30b7ac1a3c50a43a2f015320 |
| SHA1 | 4635f54030341a9077ef1b37409b226a86cc1af1 |
| SHA256 | c7dab0b1f7e3b6114fa016cbf4f4cae3e752cccbd1bc1f0fce734805b20ea753 |
| SHA512 | f7cea178c797284e29dd3b6d72600c9e818d2963dcc7c5cf6e7e38fd13dbfc9cbf65990173216141759fca13b63e236b89d2025dcfceab2602608528cc1411ba |
memory/2596-109-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3356-110-0x0000000003780000-0x0000000003796000-memory.dmp
memory/2596-111-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Yg507bR.exe
| MD5 | 93e5f80d3c5c8c59b4edd1198db1c727 |
| SHA1 | 9a428a07f42071c2346dfbb4cd6535a6bc2372d1 |
| SHA256 | cd57cce8ebb63ac29ef9da088cf530d325a662b6208df0b67df57c4baebb49fb |
| SHA512 | 462e81fd3c12e3c87db4f3a0d25509780c2d593340307d0a0586eb3b075e2834c00f642840e1a1b47742033c50d270d80d22ba17882886c163d51fff3462d7e1 |
C:\Windows\SysWOW64\GroupPolicy\gpt.ini
| MD5 | ec3584f3db838942ec3669db02dc908e |
| SHA1 | 8dceb96874d5c6425ebb81bfee587244c89416da |
| SHA256 | 77c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340 |
| SHA512 | 35253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e |
C:\Windows\System32\GroupPolicy\GPT.INI
| MD5 | 7cc972a3480ca0a4792dc3379a763572 |
| SHA1 | f72eb4124d24f06678052706c542340422307317 |
| SHA256 | 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5 |
| SHA512 | ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7 |
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
| MD5 | cdfd60e717a44c2349b553e011958b85 |
| SHA1 | 431136102a6fb52a00e416964d4c27089155f73b |
| SHA256 | 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f |
| SHA512 | dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8 |
C:\Users\Admin\AppData\Local\Temp\rise131M9Asphalt.tmp
| MD5 | f0afef75a8c35c4b5b717717b3534c33 |
| SHA1 | 835fe9e7e0572f8e825f8d3808673df7c9f7f004 |
| SHA256 | 2333f1b225d2555f68012b8697cff67b264273cf89e2eb9ae3ab0748779f9eed |
| SHA512 | 3b7cff3379111176656015567fba1653468bc79051594c87728dd14560070938c833df33a908157f57824a9ed07d44051f52e6743935107444cfa826264de9de |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk
| MD5 | 59262306854140414e5cab4c47654450 |
| SHA1 | 21a1f1429bcd996c79179a0d3b568e4009dcfa79 |
| SHA256 | d42c9826be64efe95236245c6473d58b73f615dc3415e8e18eca7cce33710f28 |
| SHA512 | 043dbc301b180dfdd5476c998a5374421ccd0b2dbd9f89ffbf50c840c832c2cd649f73e2dc81cc261d85bb1a7f81fd4fa3cc1782ba30fcf73e5a3b51d1e88b6d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe
| MD5 | 0f51534e350d66ab72f4a32471d28bee |
| SHA1 | 54e47499538c6843dcb7a7e275daa3ccc8a97b6d |
| SHA256 | 5a067b8e370db1819b466087c0af8eec66747a1937c1a331fb929bab5e99532d |
| SHA512 | 7bfe9f2158d2d13eaee3e505aaf2ad9306527c70aa0af25ab60e81f29591d8a62f9c4cf79ae2ebf2606466fe4dcd4940b7dafb9c0a96be8f4499b562b1467a23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 001e6accd2295500f29c5aa029f13b83 |
| SHA1 | ab18a2236828927b4c0927fe97991f395f587b9b |
| SHA256 | 488b5425924289b246663eb3e7820375e20335c948e1116c5e06a46ab6306df9 |
| SHA512 | 295630689f1e63fa6d9f32dcbf54df669d87570deb0cb12b7b2f804a02a54fc5c9a8b94da3addbe0398da019816084ffd6639a9430e868500a5361c9c2eaca95 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 9757335dca53b623d3211674e1e5c0e3 |
| SHA1 | d66177f71ab5ed83fefece6042269b5b7cd06e72 |
| SHA256 | 02f0348e2af36f2955efda1613dc6480f1c68c8e55f19590b7b58e9355c6a940 |
| SHA512 | f13351398f5dd5b6cf638b174dc50ddc782b690c6d4736d48941923a3425b5dff4a9aa0da22773e9abc9559d40f020f268018db902e0a7772b7b1f4d21126f21 |
\??\pipe\LOCAL\crashpad_896_ZFLPMPXZSPCJTGZC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | e1ad64aec8921be406884096cb9b2f09 |
| SHA1 | fed4a7ed3336f22760f80ab13bd7e7f5faebc249 |
| SHA256 | bba2b0b18384aed4d5cdb86add568c2f81a00ab9470bdc9c3a3cde6f5f11f7d3 |
| SHA512 | 91ac17bf022577dc0f55fd9db21f649cac928d194d3efaf63fd3cb7e8ea580294d8d067009d8f144ac0bd383613c83d700075e7d11fdd2a9fc10e7d83110bb66 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 09f2e4f2984baf9042ac70f49303ff2b |
| SHA1 | 6439001c0f74e7bb8815911b975e67fdc79d646a |
| SHA256 | 0930763d802610f56c6b05773401e4a1f6a9254b38422b26cbaa07049e03f3d7 |
| SHA512 | 18478b5b8401a82d88f35fcd559b7ba8b257a69d20c55f06580e23a15368c8ae001a9dee0946d68c65c6005a148a95b52bd9436b3c19e9c3e32d5a06b63d9686 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 27a0bb255bd9e76d3bd15a536c17a81f |
| SHA1 | 76e98f5efb09908ba75415a3e4dc0ed18682fa85 |
| SHA256 | f55cec5e6385fbccd9f43a1c67619f5dc5f2a0d8bfe495e5ea1bad5941e9a86e |
| SHA512 | 9748d222ba8daa3ec35514a842381f71fca00dc90373da27e8ef772f0d225ff5cfc98d8571546c5bbef70d2d2366c05d53e25ab2dbccc4d4275a29ecf03bdd87 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8e362b072d104bf9d9dc6321f8fc0e6d |
| SHA1 | b21a27fc468950d8fa26e96908ba66839df59066 |
| SHA256 | 8d0b0b7aa59b81d93179df38195affc528531d984ff1ed6d31324aafc4e9e9ef |
| SHA512 | 8c77fa7dae46d29d0bfb667611f29e53c1d7f0108d0b26ff8234eb1b39649775fc40d2951f649be3617d5b7d1fd0d68c06de05d392ad0a327c091d600cbebb45 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 99a9b3dc7c02dc6cc7dda97208f55f6e |
| SHA1 | 88f4998842fc6e104acf06404f35c28217488275 |
| SHA256 | 8f90d35850675f10f289473311e10c0fc89a68fe9663b3696fbcdc438cfc48f8 |
| SHA512 | f9a7d5e2e3330846c611a81ad3433d62d45cb24da74ce0fb649a528f613681108a61cdf6853a1fb62d0a8562629e9d5a7b3ec044f5166969a8af67118ed85153 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 49d75dc9e0cdaff2e4230b739900f589 |
| SHA1 | f3e0b6dfae0377e88ec9e544e058c9237d42e9fa |
| SHA256 | 4adbc3794898065f75a8ac7a0b5ab3984782c0eb6d344eaeb4f79762b8cee48e |
| SHA512 | 323ba592ecff333f0cb44ffc9ff8a8879580d7b6c90430149d50cabdd085fd3dc179cd132b8762fc3d1f9e19416b7bf8d76ef699fef4ad66e4a04092ccb65a7a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
| MD5 | 923a543cc619ea568f91b723d9fb1ef0 |
| SHA1 | 6f4ade25559645c741d7327c6e16521e43d7e1f9 |
| SHA256 | bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd |
| SHA512 | a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
| MD5 | 7d75a9eb3b38b5dd04b8a7ce4f1b87cc |
| SHA1 | 68f598c84936c9720c5ffd6685294f5c94000dff |
| SHA256 | 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7 |
| SHA512 | cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010
| MD5 | 909324d9c20060e3e73a7b5ff1f19dd8 |
| SHA1 | feea7790740db1e87419c8f5920859ea0234b76b |
| SHA256 | dfc749d2afefe484d9aa9f8f06d461ad104a0ca9b75b46abfaaddda64a5e9278 |
| SHA512 | b64d2dce1f9a185fbb8a32adc1ff402d8045d379600bf3f9154bbde18303610f18af9fce258442db1e621ecf10b77aafe99cffedfcbe2a1490056c50cc42d0f9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011
| MD5 | d55250dc737ef207ba326220fff903d1 |
| SHA1 | cbdc4af13a2ca8219d5c0b13d2c091a4234347c6 |
| SHA256 | d3e913618a52fe57ab4320e62a5ace58a699d6bce8187164e198abe3279726fd |
| SHA512 | 13adff61e2cfa25dc535eba9d63209b7e7e9bd29fc4d6c868b057df7f680aa66ef5783a0e82a8367185debf7f6fe5bae89adc0770daff5317d2e16db5ad3ab39 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 866e172ac1dc27cbc741ceda7500f40d |
| SHA1 | 7e5873199a26d7d3082b6a41ec348acdf39c6041 |
| SHA256 | e99dc51d229128723a33c633ed3ce1596f6213f319494303f45a3389c0927bec |
| SHA512 | 3f32fd39e14b46f197ff66fda4021ccddb42ba17661e8e138b88c5086bcd97f3cfe71b0a93a2acd71295fc5b17abeaaa2b5fcd80991504b48237edc1f091c23a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 7a527ffef18934193557efd822859646 |
| SHA1 | 770e5f9e5266acb01893f5757f6d95eed82b8ac1 |
| SHA256 | 21cbc55e32a013b0f9662db957d1e3d263778093afecd025eaf1b60f9278a046 |
| SHA512 | fe1157197018e7bb78b7160c9df9e3342cf31d1cfdb19d5a0b2fbdfd1ccfda24f83998b4fdd13f00d859231014bb1f0420e4f4aecab7afacbd7782b8d34e2192 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028
| MD5 | b3ba9decc3bb52ed5cca8158e05928a9 |
| SHA1 | 19d045a3fbccbf788a29a4dba443d9ccf5a12fb0 |
| SHA256 | 8bd1b2afcbe2fa046b0937197f1b2f393ef821ff89331f99754b9006f0114df4 |
| SHA512 | 86a86d370e96fa29c0c1d12991c2287936b400830869ff7b5abe4de6f32db2df782b626d724496cd6de27f8cbd32101ba34cbcd4c650ef11afa26bc048d68529 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | c0499655f74785ff5fb5b5abf5b2f488 |
| SHA1 | 334f08bdb5d7564d1b11e543a2d431bd05b8bdd1 |
| SHA256 | 6aa332a4d21802b2dbcd08e153764da60f538ceb0daaaaf7504ba8f67c08ef03 |
| SHA512 | 5f0cec6dd823f2b3ac62017383dbbf71ed38893724312ec75e73fb197e0bcd5418bb70fdfe9150f5ca495d5f8547d8a08618bdacb5010514a3cb1101437d698e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c719925c3d223837f50c29c7c0959689 |
| SHA1 | 373bec8d9f6f988051abcd01255dfc53ba05e7b0 |
| SHA256 | f8ca406536cde9aece6c0e845e9e359fce364e40a48c23a7d512f7a6a291c0b0 |
| SHA512 | e54c97bbf8f0c023db615b883545390b38e879cb35ac6c5067cbbc1d612d811aaded3f4cb1f2d3ca8d17bd6d3230a5ce3a4d970737d8dd37ca5c7c94173884ce |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 92e7629827a2df9dfa63238c4b89713c |
| SHA1 | 91f2fa9024deafede49c45d2d7f99343ba820cd8 |
| SHA256 | 0e1e48953593565b5826313a8a812a26366b7a8d17f046d7522e833ad567e3c5 |
| SHA512 | 510bd062d83206f09957a10813e865eb89e5fbd397bbb7e8e4457788cf512c19edecae70e5206a83c3404d870e174a005f9681693053134378eef0dee954ea48 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588cba.TMP
| MD5 | c722d457af164a1c25037b61b17d39de |
| SHA1 | ea69fab4f0e75ed62db6ad52ca8ceb9f6bab6b5b |
| SHA256 | 93e4bfe36c649921a6f2adff2e20ad242d95ad0c71db4b1e231780f3b62e37fc |
| SHA512 | 1fa9e733ec735d1d8a6efbbfa14b65b4e0bca05d03f72af97a7e5b1364615d8560af172d3ea34565c50704621436c29765b89a268299a8eb1f2351611d6e0b1c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt
| MD5 | ecdf5ed9753e6f60996f9a61e64aee11 |
| SHA1 | 0f650fa8414e9733b4b209c8e53d0fa7005886a2 |
| SHA256 | 3b0f06ead053a8fb3907ea84d2d9d23cbb883db8af3d3c145e2b70a418a158b7 |
| SHA512 | eeb011bdd58542b93e1d0b69e71809d4834417bcbf3acad5affddf5d99215951246392be58c9608507378e2184c9903ef67dcf3f74033be7d103ad58e857e272 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 1de34aec46e68314694a0bd4af5c51db |
| SHA1 | b07bb11e11bde5e2222bcb26ac3da56f350c3861 |
| SHA256 | abecc09c02670855fd352a4e62271c57c3d732a87e1f65b81ff8a1134f52d8c4 |
| SHA512 | 43ebb1ec341bdaaa86cbbdc8f57c37600cbe3cf0d1498fb30fd743c4325026b67942a76eafc2c4c2e448671a7ff24821b76a54205b19d861bb5e6d0c183285d9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | cb4cd690c9a933f8dd30127b3d17006e |
| SHA1 | 40a0459871e33dc2c0db99eb49d01aa45b06f464 |
| SHA256 | f255fb981672651ce74688fab12af20f7c77fd2afad6448e374965c87474c02e |
| SHA512 | e1670b7d2babe0fa7f968c5bb8cc5354c39c65132d0457374451e2660f1f161b5e1c51fcd5e4a28d34b20d34442db313645dc65cce37913f259f260c710ba1a7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | b8ec85cb9fe4efcfea8347627f6952cd |
| SHA1 | c136dd4ff421e5aff61cc4ce57e5417ce7511d61 |
| SHA256 | 0bc44adacdc8586cf004756b5a3cc7b7712e6c5d0a3547d349507276c5c59a8f |
| SHA512 | 5bb6827ddf62321a6d2fbf8d08c2b0c9473ab8846fbeec80852abcd05e8dc860b335aa7ffb4e73e741767ba116f5f95008083b97d7393526a4525243a3028cc7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | ac18b4a0333432dd48ca50f98053a4aa |
| SHA1 | f17a44bd10a3febfd5ef0ab71b9b834d67a1c8c8 |
| SHA256 | 8f11a11fd711e2fc0bf9cca7597fbad95fa3911311deed62694615ad1a136f25 |
| SHA512 | 9282510ead016072a2f5c9e72df559b444a100225d996371e94c818974afc42933edc7a7b19e50547f5e616ed73d88f99958fe2117ecf8f06a727bf2e635b96b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 1405c741f63755795d19edd9b373e963 |
| SHA1 | a30ba71fec0435ea132c1d7d3b6a1e79ce0cd48e |
| SHA256 | c5acba901b26f4961e178e4da20c011a2f2d9645e0c97c8fb6cbb901abecc45a |
| SHA512 | 303aad1564212a55b10f13b98b5f1474689ebe0aaa4a25144b4da83953a11e87caff6fa852d275de90e68a6038c4029d0eb7edb4fd792267c7c1efdf4d1c3946 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58bf53.TMP
| MD5 | 146adbfaa48e3a6b7c51fe6b638af9f4 |
| SHA1 | f1fbf1fea98d0eaa167b82c0fb3164c9d20e6896 |
| SHA256 | 7fd77b0df5dee2ffd952317fa0b10c7b0d82c96795a5b072f4c65d6732fe3bdb |
| SHA512 | dd2bb5170ad9495de4914969c937e374e0198d8531c01f34cb26e01f758f46bc56cac2a7a09cbc4925b2963d8bcc403b6ee485f81c36407010e1341b6025ec83 |
memory/4144-1131-0x0000000002550000-0x000000000258C000-memory.dmp
memory/4144-1142-0x0000000075150000-0x0000000075900000-memory.dmp
memory/4144-1147-0x0000000007950000-0x0000000007EF4000-memory.dmp
memory/4144-1150-0x0000000007440000-0x00000000074D2000-memory.dmp
memory/4144-1155-0x0000000007660000-0x0000000007670000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 4eee35bef8796d3d8de9b89d07efff62 |
| SHA1 | e08a52572e11952dcddd6a32fac2901cd9998a69 |
| SHA256 | 72557c6d81f3b23b3cc2eede0403077890c00147f47e7efb9680d7071853da5d |
| SHA512 | 431ad03ff79fe2229a06c7e7954b7dcb765b50c9ef3c02936297b5336d2c287ade88c38011ee54fa0935e7bf806072b764ce37f7b7606a36608186e4dbe8decf |
memory/4144-1167-0x00000000075E0000-0x00000000075EA000-memory.dmp
memory/4144-1170-0x0000000008960000-0x0000000008F78000-memory.dmp
memory/4144-1171-0x000000000A2F0000-0x000000000A3FA000-memory.dmp
memory/4144-1172-0x0000000008940000-0x0000000008952000-memory.dmp
memory/4144-1175-0x000000000A220000-0x000000000A25C000-memory.dmp
memory/4144-1180-0x000000000A260000-0x000000000A2AC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 1841cf73bd2dcc96e98c6274098b3f81 |
| SHA1 | 3d96c3aa6ce03e7b9de96b86f2116eb2bca52ac9 |
| SHA256 | 9a8a810b1739b91e2df4cc8c5a93d1abe758f8efb5fa6454e552e5ade5f48c54 |
| SHA512 | 89c827529b076f8d2736ba258489b401ba1a1d1bc8d7407c971e066dbb800cba76ce9571c346f8edee992a6099578cf9db7400fdab7ca69d691ac0f0b5e31edf |
memory/4144-1265-0x000000000A4B0000-0x000000000A516000-memory.dmp
memory/4144-1288-0x000000000A870000-0x000000000A8C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 70e412ae2a9c0939b14bcac69aec1482 |
| SHA1 | 0ed0bd9302ed3b395bed9ed70d4e197d54d495be |
| SHA256 | 051037f904022c454bfe2da054536c1d11fd611d5c6472bf5756fd0ad271471a |
| SHA512 | 4755d7fa01feff2ef462dd78d2b1db579063de6383f48e6ff5f562577444eb1d4cbed93577b14716f0351653f65bd04d70b50fe61b16d503327c4f6e2e79f362 |
memory/4144-1304-0x0000000007660000-0x0000000007670000-memory.dmp
memory/4144-1375-0x000000000B670000-0x000000000B832000-memory.dmp
memory/4144-1378-0x000000000BD70000-0x000000000C29C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 56b9cf6c617ba45b4f10622549ebd641 |
| SHA1 | fa9b33f75d10100594f53da20595da3d33b1162c |
| SHA256 | 6bb9bda92152137a85968bbe137edc4b33f2c78174501cd81ed795454625e94d |
| SHA512 | 6efc0c3a73cef1890be620cfbc509a258f52940db682662621ee7addb6cf24f1b7d6a55f2892dc4013a6a7a7b143ecbe2d50eacc9a5ad06cb2a13b43f12600e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 050b28330a355aa4eb2703d2dfd93fb3 |
| SHA1 | a7c4a5632d488e041290fb9727db09a844b5e612 |
| SHA256 | 647e26947d6a451bd7603d26eab59ee74b2fe159b45e1633d0f4efa4c10c78f0 |
| SHA512 | ed13f95d27f93a20fd14ce8d2eff9d1feef64b6d463efe2aa8ab411f44bff80e15ac5458f3356413ff56d638dfc5d4be065f18aaaebbf885ca4d3ba79e170df2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 165c86c0f68b4294ca9541bf90f7d3a0 |
| SHA1 | 5b7e412b3e6e4cb77866c8ba18d842a7d0173970 |
| SHA256 | 6d38cc3c624b23ecc95198e461edab9f5e1e08fc980f02e7b536a0dd17ea3067 |
| SHA512 | 55aace9cebac240f0110cae099f354077a9516f5746446f8f6bfc95b9eb1f4c493a5f4cc5226b5b351de025b09e06d5a6f7b9d08806f7e6ea69488bff300b5f7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
memory/4144-1423-0x0000000075150000-0x0000000075900000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f70c20290a2e195b40e725143f419596 |
| SHA1 | df5a78790a0dc7171257ec02df59e1759f0eb0c5 |
| SHA256 | 3ef19b4febc08f6628ba4fa7cee7ba27307204aaed7b5bb077630249a1537c1e |
| SHA512 | 37e06b4ab99a9e58955e60ff17a135d847be6fbf861091d9f1a53dc3fdd7ff2fa4b9e1cdd2677cfb65be2eeb8601bd9a58a23b0fb00b7f3ed91ef4c4e5c4b502 |
memory/4144-1442-0x0000000007660000-0x0000000007670000-memory.dmp
memory/5852-1445-0x0000000075150000-0x0000000075900000-memory.dmp
memory/5852-1446-0x00000000004B0000-0x0000000001966000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 94a2400ff60adf6ed00ee9e52062f142 |
| SHA1 | 79c5358e861186a0d2b100701a931dee8380f4eb |
| SHA256 | ff380e02f3695245e0ae80591055651504e35417ad9564b396a57dc33038ed63 |
| SHA512 | 25de717b14b9eb433ff111c6232f1f203c777566b8e4b71cca9b8adde47ee335968e155b146b16035b082ed87321dd2b15d5b5a42046565745b0f0c4889b2dac |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 1a692b3e4b38b7f3bcfc4a41b48107f9 |
| SHA1 | 4504eff115b82364d6b939c8916926b7834bff7b |
| SHA256 | 44e931546e99805e15906f972323168ea3fc28e4b3b891f12706238c4419183f |
| SHA512 | 7a15da965ad542b1e4cd00e2ccf55745511067301884cc1579ab4fb2bbcd98f8949450f7eba917da04fd9c125934235371b256186c8788cf5043bada5da2cec4 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 36322b65968a6e57b57dcc18722a072e |
| SHA1 | df2e5b4dbf462c975286e5e9a7c603f1028ed952 |
| SHA256 | dad40b4d5a65b829214837d6b37ae47e58dd31a2aad862e53c2976eb40b599f7 |
| SHA512 | 345a91dc4108a6c748f523d697b04e199e2e8b612554877180694ef3f4f9e01be5f736a8d6b6dcdae118bbfb5cf905966074104ac1babac65d15cb9386f5e519 |
memory/6268-1478-0x0000000000ED0000-0x0000000000ED1000-memory.dmp
memory/6520-1480-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | dad964f7fba301a84efeafb2150d4396 |
| SHA1 | 2657aa0b73c3930b3ecdf3a61d46fc42c91641c3 |
| SHA256 | 8548e1fbda030faad86295e40cb577dd08c568e820590d142874439baafc80e7 |
| SHA512 | 2282afd07bb0af5f632dbfdac418d2c7f34e4ed53a04c0a75ea26b7c0c1565d13d345af9cd4423fd104814f2dd9742fc858f3bf87a8741447972ea9fc48a476a |
memory/5852-1491-0x0000000075150000-0x0000000075900000-memory.dmp
memory/4144-1504-0x0000000007660000-0x0000000007670000-memory.dmp
memory/7056-1505-0x0000000001FC0000-0x0000000001FC1000-memory.dmp
memory/940-1632-0x0000000000400000-0x0000000000785000-memory.dmp
memory/940-1633-0x0000000000400000-0x0000000000785000-memory.dmp
memory/940-1636-0x0000000000400000-0x0000000000785000-memory.dmp
memory/6352-1639-0x0000000000400000-0x0000000000785000-memory.dmp
memory/6252-1641-0x0000000002A10000-0x0000000002E09000-memory.dmp
memory/6252-1642-0x0000000002E10000-0x00000000036FB000-memory.dmp
memory/6252-1643-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4472-1648-0x0000000000400000-0x0000000000409000-memory.dmp
memory/6520-1649-0x0000000000400000-0x0000000000414000-memory.dmp
memory/6864-1646-0x0000000000860000-0x0000000000960000-memory.dmp
memory/4828-1652-0x0000000003040000-0x0000000003050000-memory.dmp
memory/4828-1651-0x0000000075150000-0x0000000075900000-memory.dmp
memory/4828-1653-0x0000000003040000-0x0000000003050000-memory.dmp
memory/4828-1650-0x0000000002FA0000-0x0000000002FD6000-memory.dmp
memory/6864-1647-0x0000000000960000-0x0000000000969000-memory.dmp
memory/4472-1645-0x0000000000400000-0x0000000000409000-memory.dmp
memory/6268-1644-0x0000000000ED0000-0x0000000000ED1000-memory.dmp
memory/4828-1654-0x00000000058E0000-0x0000000005F08000-memory.dmp
memory/4828-1655-0x0000000005630000-0x0000000005652000-memory.dmp
memory/4828-1656-0x0000000005F10000-0x0000000005F76000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iulwihcg.4yx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4828-1666-0x0000000006180000-0x00000000064D4000-memory.dmp
memory/4828-1667-0x00000000065A0000-0x00000000065BE000-memory.dmp
memory/4144-1670-0x0000000075150000-0x0000000075900000-memory.dmp
memory/4828-1671-0x0000000006B50000-0x0000000006B94000-memory.dmp
memory/4828-1672-0x0000000003040000-0x0000000003050000-memory.dmp
memory/4828-1673-0x00000000078E0000-0x0000000007956000-memory.dmp
memory/4828-1675-0x0000000007960000-0x000000000797A000-memory.dmp
memory/4828-1674-0x0000000007FE0000-0x000000000865A000-memory.dmp
memory/6352-1676-0x0000000000400000-0x0000000000785000-memory.dmp
memory/4828-1690-0x0000000007B00000-0x0000000007B1E000-memory.dmp
memory/4828-1691-0x0000000007B60000-0x0000000007C03000-memory.dmp
memory/4828-1680-0x000000006C8F0000-0x000000006CC44000-memory.dmp
memory/4828-1679-0x000000006E6F0000-0x000000006E73C000-memory.dmp
memory/4828-1678-0x000000007F7A0000-0x000000007F7B0000-memory.dmp
memory/4828-1677-0x0000000007B20000-0x0000000007B52000-memory.dmp
memory/4828-1692-0x0000000007C50000-0x0000000007C5A000-memory.dmp
memory/3356-1699-0x00000000030C0000-0x00000000030D6000-memory.dmp
memory/4472-1700-0x0000000000400000-0x0000000000409000-memory.dmp
memory/6252-1716-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/6268-1717-0x0000000000400000-0x0000000000965000-memory.dmp
memory/3352-1719-0x00007FF6C0B40000-0x00007FF6C10E1000-memory.dmp
memory/7056-1720-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/6352-1723-0x0000000000400000-0x0000000000785000-memory.dmp
memory/5736-1803-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/6352-1827-0x0000000000400000-0x0000000000785000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C33A.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
memory/5736-1902-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/6352-1928-0x0000000000400000-0x0000000000785000-memory.dmp