Malware Analysis Report

2025-01-02 03:50

Sample ID 231211-ythmrshgb4
Target b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b
SHA256 b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b
Tags
glupteba privateloader redline risepro smokeloader livetraffic up3 backdoor paypal collection discovery dropper evasion infostealer loader persistence phishing spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b

Threat Level: Known bad

The file b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b was found to be: Known bad.

Malicious Activity Summary

glupteba privateloader redline risepro smokeloader livetraffic up3 backdoor paypal collection discovery dropper evasion infostealer loader persistence phishing spyware stealer trojan

RedLine payload

SmokeLoader

RisePro

RedLine

Glupteba

PrivateLoader

Glupteba payload

Modifies Windows Firewall

Downloads MZ/PE file

Reads user/profile data of local email clients

Executes dropped EXE

Loads dropped DLL

Drops startup file

Checks computer location settings

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Accesses Microsoft Outlook profiles

Checks installed software on the system

Adds Run key to start application

Looks up external IP address via web service

AutoIT Executable

Drops file in System32 directory

Detected potential entity reuse from brand paypal.

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Runs net.exe

Suspicious use of UnmapMainImage

Checks processor information in registry

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

outlook_win_path

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 20:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 20:04

Reported

2023-12-11 20:10

Platform

win10v2004-20231127-en

Max time kernel

124s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7D78.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\433A.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oR3ny00.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kj3qv78.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Detected potential entity reuse from brand paypal.

phishing paypal

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Yg507bR.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Yg507bR.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Yg507bR.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Yg507bR.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\xrecode3\bin\x86\is-4VF07.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-R10B8.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-QB00S.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-VE1SH.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-KTIAS.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-VMR8P.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-L4RJF.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-DN4BI.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-IOM7M.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-AMTV8.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-7AVJV.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-9CKBO.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-GB62G.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-5U6LD.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File opened for modification C:\Program Files (x86)\xrecode3\xrecode3.exe C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\install\is-E9QE0.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\stuff\is-EMFDM.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-I7LPP.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\stuff\is-TB1JC.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-68LU1.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-921R8.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-K9HU9.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-RIFTO.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-M009J.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-G4IHS.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-LVN4O.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-4MD4P.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-060SR.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-AAPBA.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File opened for modification C:\Program Files (x86)\xrecode3\install\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-2EP7T.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-EJ3KS.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-3FCFE.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\plugins\internal\is-CBV6N.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-IM4MG.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\install\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-VP02G.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-AJO5N.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-5TIA4.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-LA0A1.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-18CFD.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-3G3GO.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-K60VS.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-AMMH4.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-EKEHI.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-ST408.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-30H61.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-93U0N.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-SOK5A.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-Q0LEG.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\plugins\internal\is-N6CRJ.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\is-L6VTK.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-GILUH.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-S1LQ0.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\lessmsi\is-1TGL1.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-UEOK3.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\stuff\is-ABIK1.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\stuff\is-SQUCK.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-C69QP.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-PMLJD.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-44TE7.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-3N5RC.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A
File created C:\Program Files (x86)\xrecode3\bin\x86\is-4C3EN.tmp C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nC48Vv.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nC48Vv.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nC48Vv.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nC48Vv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nC48Vv.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nC48Vv.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7D78.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Broom.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3992 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oR3ny00.exe
PID 3992 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oR3ny00.exe
PID 3992 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oR3ny00.exe
PID 3884 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oR3ny00.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kj3qv78.exe
PID 3884 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oR3ny00.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kj3qv78.exe
PID 3884 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oR3ny00.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kj3qv78.exe
PID 1264 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kj3qv78.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe
PID 1264 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kj3qv78.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe
PID 1264 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kj3qv78.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe
PID 4404 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4404 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4404 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4404 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4404 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe C:\Windows\SysWOW64\schtasks.exe
PID 4404 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe C:\Windows\SysWOW64\schtasks.exe
PID 1264 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kj3qv78.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nC48Vv.exe
PID 1264 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kj3qv78.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nC48Vv.exe
PID 1264 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kj3qv78.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nC48Vv.exe
PID 3884 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oR3ny00.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Yg507bR.exe
PID 3884 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oR3ny00.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Yg507bR.exe
PID 3884 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oR3ny00.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Yg507bR.exe
PID 3992 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe
PID 3992 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe
PID 3992 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe
PID 5084 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5084 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5084 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5084 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3576 wrote to memory of 1924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3576 wrote to memory of 1924 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 2804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 2804 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5084 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5084 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 896 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 896 wrote to memory of 1528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5084 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5084 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3960 wrote to memory of 2792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3960 wrote to memory of 2792 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5084 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5084 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2492 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2492 wrote to memory of 3392 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5084 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5084 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 4684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4424 wrote to memory of 4684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5084 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5084 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4308 wrote to memory of 508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 5248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 5248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 5248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 5248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 5248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 5248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 5248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 5248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 5248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 5248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 5248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4480 wrote to memory of 5248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe

"C:\Users\Admin\AppData\Local\Temp\b382da86a6f436a30fec38e5c87c02608cc9a7f3b0605bf8335f76f6eb94d83b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oR3ny00.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oR3ny00.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kj3qv78.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kj3qv78.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 1756

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nC48Vv.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nC48Vv.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Yg507bR.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Yg507bR.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe6c3846f8,0x7ffe6c384708,0x7ffe6c384718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe6c3846f8,0x7ffe6c384708,0x7ffe6c384718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe6c3846f8,0x7ffe6c384708,0x7ffe6c384718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe6c3846f8,0x7ffe6c384708,0x7ffe6c384718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x174,0x178,0x17c,0x150,0x180,0x7ffe6c3846f8,0x7ffe6c384708,0x7ffe6c384718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe6c3846f8,0x7ffe6c384708,0x7ffe6c384718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe6c3846f8,0x7ffe6c384708,0x7ffe6c384718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,6988406033555240497,6448640512200022979,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,6988406033555240497,6448640512200022979,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,2509557579768920895,6373054615465222226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe6c3846f8,0x7ffe6c384708,0x7ffe6c384718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,13982932822428225580,2298979103919275646,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4464 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,18311767221605042811,14462099257836302572,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,2764553708223062316,14479220405539518603,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe6c3846f8,0x7ffe6c384708,0x7ffe6c384718

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x164,0x174,0x7ffe6c3846f8,0x7ffe6c384708,0x7ffe6c384718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7668 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7712 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8112 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8112 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7920 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8156 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\7D78.exe

C:\Users\Admin\AppData\Local\Temp\7D78.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=8720 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3114285451454718491,1223336036420501334,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8636 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe6c3846f8,0x7ffe6c384708,0x7ffe6c384718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3680 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3680 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9893720507611763139,14953831290445810574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\433A.exe

C:\Users\Admin\AppData\Local\Temp\433A.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-P11G8.tmp\tuc3.tmp" /SL5="$202A2,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 1

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C0F7.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C33A.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 51.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 2.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.epicgames.com udp
GB 157.240.221.35:443 www.facebook.com tcp
BE 64.233.166.84:443 accounts.google.com tcp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 store.steampowered.com udp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 84.166.233.64.in-addr.arpa udp
US 8.8.8.8:53 www.paypal.com udp
US 92.123.241.50:443 store.steampowered.com tcp
US 151.101.1.21:443 www.paypal.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com tcp
US 54.242.107.216:443 www.epicgames.com tcp
US 54.242.107.216:443 www.epicgames.com tcp
US 104.244.42.129:443 twitter.com tcp
US 104.244.42.129:443 twitter.com tcp
US 8.8.8.8:53 50.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 77.154.214.23.in-addr.arpa udp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 216.107.242.54.in-addr.arpa udp
BE 64.233.166.84:443 accounts.google.com udp
US 8.8.8.8:53 abs.twimg.com udp
US 8.8.8.8:53 api.twitter.com udp
US 8.8.8.8:53 api.x.com udp
US 152.199.21.141:443 abs.twimg.com tcp
US 104.244.42.66:443 api.twitter.com tcp
US 8.8.8.8:53 video.twimg.com udp
US 8.8.8.8:53 t.co udp
US 172.64.150.242:443 api.x.com tcp
US 8.8.8.8:53 pbs.twimg.com udp
GB 199.232.56.158:443 video.twimg.com tcp
US 104.244.42.197:443 t.co tcp
US 93.184.220.70:443 pbs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
GB 142.250.178.14:443 www.youtube.com udp
US 8.8.8.8:53 i.ytimg.com udp
GB 172.217.169.22:443 i.ytimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 129.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 36.10.230.54.in-addr.arpa udp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 141.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 66.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 22.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 158.56.232.199.in-addr.arpa udp
US 8.8.8.8:53 242.150.64.172.in-addr.arpa udp
US 8.8.8.8:53 static.ads-twitter.com udp
US 8.8.8.8:53 tracking.epicgames.com udp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 52.203.30.102:443 tracking.epicgames.com tcp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
GB 13.224.81.67:443 static-assets-prod.unrealengine.com tcp
GB 13.224.81.67:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 70.220.184.93.in-addr.arpa udp
US 8.8.8.8:53 197.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
GB 13.224.81.67:443 static-assets-prod.unrealengine.com tcp
US 199.232.168.157:443 static.ads-twitter.com tcp
US 199.232.168.157:443 static.ads-twitter.com tcp
US 8.8.8.8:53 www.paypalobjects.com udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 102.30.203.52.in-addr.arpa udp
US 8.8.8.8:53 67.81.224.13.in-addr.arpa udp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 220.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 157.168.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
FR 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
FR 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 68.204.58.216.in-addr.arpa udp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 www.recaptcha.net udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 142.250.200.3:443 www.recaptcha.net tcp
US 8.8.8.8:53 c.paypal.com udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 192.55.233.1:443 tcp
GB 142.250.200.3:443 www.recaptcha.net udp
US 192.55.233.1:443 tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 23.147.70.163.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
FR 216.58.204.68:443 www.google.com udp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
IE 163.70.147.35:443 facebook.com tcp
IE 163.70.147.35:443 facebook.com tcp
US 8.8.8.8:53 fbcdn.net udp
US 8.8.8.8:53 t.paypal.com udp
US 8.8.8.8:53 35.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 b.stats.paypal.com udp
US 64.4.245.84:443 b.stats.paypal.com tcp
IE 163.70.147.35:443 fbcdn.net tcp
US 151.101.1.35:443 t.paypal.com tcp
US 151.101.1.35:443 t.paypal.com tcp
US 8.8.8.8:53 84.245.4.64.in-addr.arpa udp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 dub.stats.paypal.com udp
US 64.4.245.84:443 dub.stats.paypal.com tcp
US 104.244.42.66:443 api.twitter.com tcp
US 104.244.42.66:443 api.twitter.com tcp
US 8.8.8.8:53 35.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 c6.paypal.com udp
US 151.101.1.35:443 c6.paypal.com tcp
US 151.101.1.35:443 c6.paypal.com tcp
US 8.8.8.8:53 sentry.io udp
US 35.186.247.156:443 sentry.io tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 login.steampowered.com udp
US 8.8.8.8:53 156.247.186.35.in-addr.arpa udp
GB 13.224.81.67:443 static-assets-prod.unrealengine.com tcp
GB 142.250.179.238:443 play.google.com tcp
GB 23.214.154.77:443 login.steampowered.com tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
GB 23.214.154.77:443 login.steampowered.com tcp
GB 142.250.179.238:443 play.google.com udp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 api.steampowered.com udp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
US 35.186.247.156:443 sentry.io udp
GB 23.214.154.77:443 api.steampowered.com tcp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 talon-website-prod.ecosec.on.epicgames.com udp
US 172.64.146.120:443 talon-website-prod.ecosec.on.epicgames.com tcp
US 172.64.146.120:443 talon-website-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 120.146.64.172.in-addr.arpa udp
US 8.8.8.8:53 talon-service-prod.ecosec.on.epicgames.com udp
US 104.18.41.136:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 104.18.41.136:443 talon-service-prod.ecosec.on.epicgames.com tcp
US 8.8.8.8:53 136.41.18.104.in-addr.arpa udp
US 8.8.8.8:53 js.hcaptcha.com udp
US 104.19.218.90:443 js.hcaptcha.com tcp
US 8.8.8.8:53 newassets.hcaptcha.com udp
US 8.8.8.8:53 90.218.19.104.in-addr.arpa udp
US 8.8.8.8:53 api.hcaptcha.com udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 77.105.132.87:17066 tcp
US 8.8.8.8:53 87.132.105.77.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 0a9af243-8fd1-48f1-8e0c-7063d05905be.uuid.myfastupdate.org udp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 24.52.193.212.in-addr.arpa udp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
RU 212.193.52.24:80 host-host-file8.com tcp
US 8.8.8.8:53 edarululoom.com udp
US 104.21.42.224:443 edarululoom.com tcp
US 8.8.8.8:53 224.42.21.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\oR3ny00.exe

MD5 aa0463911372af33b434c9d204b15f64
SHA1 35c55555c532c2bf7c9759eef5203ef997fc2605
SHA256 37242cde1eaddbce780c119e10d981a32bb545213368219e1d92c06bef9aaaa7
SHA512 6871d81fcef63a406feed362d56efd24ee638d9a84d0242d6665a63d63234cdd164c50878d76f41623917302a54818f9a8aa722f5e5087bd201dd701b2cbf790

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kj3qv78.exe

MD5 1f11da83022d54f32498aa927af66f9e
SHA1 96ddd2101b82d98b63d83e8b22709571a5ce6814
SHA256 7c0aed8b9c8d11a93ec16b198d2d3ec7de5b143173e1a66a27c412070fdd0e3c
SHA512 618516734c69fc2cae1270a923993795943667c26b19c6730a2aa6c932de66e0787352926a8e3ec203864d3a630c81576703a5bdcf72dfc9997b2d86fe7c197c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1TY31zg9.exe

MD5 34ed5c1d6025faea6589b6ffe8a6cbfe
SHA1 dc4ce914fde07e1498baa71b22641262fdfd75d1
SHA256 f940673a1d027ad343e8532b4215a4de8ada801bcd9d3ac2f449c8d9ff8d889e
SHA512 3bd237fe5538c4b7183d025a4d9433a80627dc887fb9117a0a5bbe755e8cec38d85435d67e8b02de21bfba217eae518614bb46eb3bb0fa8ddfc9b137164c4c57

memory/4404-22-0x0000000002560000-0x000000000262C000-memory.dmp

memory/4404-23-0x00000000026E0000-0x0000000002875000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 1a7e5fd7e00e85d5e4d5fc7ebc94459d
SHA1 e379ea9f462f9208ad1cd8495738e0e35e1f6eee
SHA256 a5e8dd1ec672a7bcc618b107df8bf169782bb270249273d4b1ede3bb3ed840f0
SHA512 2af4386c57682cef1aad6b94a0a319b467a8984616fbff452985a3b083d57e31cbaf70e2d2f247ad52160ceea2220d1934d255684200dc2119ae32801f533686

memory/4404-32-0x0000000000400000-0x0000000000908000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\grandUIAMeKqIkURe8cc7\information.txt

MD5 f88842b2caf70fd4d21f38ed0d5038a1
SHA1 d1231fd1a1d246772d9109f7fc4edc624ad86881
SHA256 cb1a3c9ba7ef196e304003e126793a7ab02443a0c77923dcff238e26eade800a
SHA512 9434adf7525166a191bb0e1c02e3d4eaa08657aec13797336c28fb7decde42ff24e46545db0d0dcbfaf66987148d1f6afbeb3d8a122a984b1da3142b4b25ffbf

memory/4404-101-0x0000000000400000-0x0000000000908000-memory.dmp

memory/4404-102-0x0000000002560000-0x000000000262C000-memory.dmp

memory/4404-103-0x0000000000400000-0x0000000000908000-memory.dmp

memory/4404-105-0x00000000026E0000-0x0000000002875000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\3nC48Vv.exe

MD5 3d225e1e30b7ac1a3c50a43a2f015320
SHA1 4635f54030341a9077ef1b37409b226a86cc1af1
SHA256 c7dab0b1f7e3b6114fa016cbf4f4cae3e752cccbd1bc1f0fce734805b20ea753
SHA512 f7cea178c797284e29dd3b6d72600c9e818d2963dcc7c5cf6e7e38fd13dbfc9cbf65990173216141759fca13b63e236b89d2025dcfceab2602608528cc1411ba

memory/2596-109-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3356-110-0x0000000003780000-0x0000000003796000-memory.dmp

memory/2596-111-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4Yg507bR.exe

MD5 93e5f80d3c5c8c59b4edd1198db1c727
SHA1 9a428a07f42071c2346dfbb4cd6535a6bc2372d1
SHA256 cd57cce8ebb63ac29ef9da088cf530d325a662b6208df0b67df57c4baebb49fb
SHA512 462e81fd3c12e3c87db4f3a0d25509780c2d593340307d0a0586eb3b075e2834c00f642840e1a1b47742033c50d270d80d22ba17882886c163d51fff3462d7e1

C:\Windows\SysWOW64\GroupPolicy\gpt.ini

MD5 ec3584f3db838942ec3669db02dc908e
SHA1 8dceb96874d5c6425ebb81bfee587244c89416da
SHA256 77c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340
SHA512 35253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e

C:\Windows\System32\GroupPolicy\GPT.INI

MD5 7cc972a3480ca0a4792dc3379a763572
SHA1 f72eb4124d24f06678052706c542340422307317
SHA256 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512 ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

C:\Users\Admin\AppData\Local\Temp\rise131M9Asphalt.tmp

MD5 f0afef75a8c35c4b5b717717b3534c33
SHA1 835fe9e7e0572f8e825f8d3808673df7c9f7f004
SHA256 2333f1b225d2555f68012b8697cff67b264273cf89e2eb9ae3ab0748779f9eed
SHA512 3b7cff3379111176656015567fba1653468bc79051594c87728dd14560070938c833df33a908157f57824a9ed07d44051f52e6743935107444cfa826264de9de

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk

MD5 59262306854140414e5cab4c47654450
SHA1 21a1f1429bcd996c79179a0d3b568e4009dcfa79
SHA256 d42c9826be64efe95236245c6473d58b73f615dc3415e8e18eca7cce33710f28
SHA512 043dbc301b180dfdd5476c998a5374421ccd0b2dbd9f89ffbf50c840c832c2cd649f73e2dc81cc261d85bb1a7f81fd4fa3cc1782ba30fcf73e5a3b51d1e88b6d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Uu3ED7.exe

MD5 0f51534e350d66ab72f4a32471d28bee
SHA1 54e47499538c6843dcb7a7e275daa3ccc8a97b6d
SHA256 5a067b8e370db1819b466087c0af8eec66747a1937c1a331fb929bab5e99532d
SHA512 7bfe9f2158d2d13eaee3e505aaf2ad9306527c70aa0af25ab60e81f29591d8a62f9c4cf79ae2ebf2606466fe4dcd4940b7dafb9c0a96be8f4499b562b1467a23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 001e6accd2295500f29c5aa029f13b83
SHA1 ab18a2236828927b4c0927fe97991f395f587b9b
SHA256 488b5425924289b246663eb3e7820375e20335c948e1116c5e06a46ab6306df9
SHA512 295630689f1e63fa6d9f32dcbf54df669d87570deb0cb12b7b2f804a02a54fc5c9a8b94da3addbe0398da019816084ffd6639a9430e868500a5361c9c2eaca95

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9757335dca53b623d3211674e1e5c0e3
SHA1 d66177f71ab5ed83fefece6042269b5b7cd06e72
SHA256 02f0348e2af36f2955efda1613dc6480f1c68c8e55f19590b7b58e9355c6a940
SHA512 f13351398f5dd5b6cf638b174dc50ddc782b690c6d4736d48941923a3425b5dff4a9aa0da22773e9abc9559d40f020f268018db902e0a7772b7b1f4d21126f21

\??\pipe\LOCAL\crashpad_896_ZFLPMPXZSPCJTGZC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e1ad64aec8921be406884096cb9b2f09
SHA1 fed4a7ed3336f22760f80ab13bd7e7f5faebc249
SHA256 bba2b0b18384aed4d5cdb86add568c2f81a00ab9470bdc9c3a3cde6f5f11f7d3
SHA512 91ac17bf022577dc0f55fd9db21f649cac928d194d3efaf63fd3cb7e8ea580294d8d067009d8f144ac0bd383613c83d700075e7d11fdd2a9fc10e7d83110bb66

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 09f2e4f2984baf9042ac70f49303ff2b
SHA1 6439001c0f74e7bb8815911b975e67fdc79d646a
SHA256 0930763d802610f56c6b05773401e4a1f6a9254b38422b26cbaa07049e03f3d7
SHA512 18478b5b8401a82d88f35fcd559b7ba8b257a69d20c55f06580e23a15368c8ae001a9dee0946d68c65c6005a148a95b52bd9436b3c19e9c3e32d5a06b63d9686

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 27a0bb255bd9e76d3bd15a536c17a81f
SHA1 76e98f5efb09908ba75415a3e4dc0ed18682fa85
SHA256 f55cec5e6385fbccd9f43a1c67619f5dc5f2a0d8bfe495e5ea1bad5941e9a86e
SHA512 9748d222ba8daa3ec35514a842381f71fca00dc90373da27e8ef772f0d225ff5cfc98d8571546c5bbef70d2d2366c05d53e25ab2dbccc4d4275a29ecf03bdd87

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8e362b072d104bf9d9dc6321f8fc0e6d
SHA1 b21a27fc468950d8fa26e96908ba66839df59066
SHA256 8d0b0b7aa59b81d93179df38195affc528531d984ff1ed6d31324aafc4e9e9ef
SHA512 8c77fa7dae46d29d0bfb667611f29e53c1d7f0108d0b26ff8234eb1b39649775fc40d2951f649be3617d5b7d1fd0d68c06de05d392ad0a327c091d600cbebb45

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 99a9b3dc7c02dc6cc7dda97208f55f6e
SHA1 88f4998842fc6e104acf06404f35c28217488275
SHA256 8f90d35850675f10f289473311e10c0fc89a68fe9663b3696fbcdc438cfc48f8
SHA512 f9a7d5e2e3330846c611a81ad3433d62d45cb24da74ce0fb649a528f613681108a61cdf6853a1fb62d0a8562629e9d5a7b3ec044f5166969a8af67118ed85153

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 49d75dc9e0cdaff2e4230b739900f589
SHA1 f3e0b6dfae0377e88ec9e544e058c9237d42e9fa
SHA256 4adbc3794898065f75a8ac7a0b5ab3984782c0eb6d344eaeb4f79762b8cee48e
SHA512 323ba592ecff333f0cb44ffc9ff8a8879580d7b6c90430149d50cabdd085fd3dc179cd132b8762fc3d1f9e19416b7bf8d76ef699fef4ad66e4a04092ccb65a7a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 923a543cc619ea568f91b723d9fb1ef0
SHA1 6f4ade25559645c741d7327c6e16521e43d7e1f9
SHA256 bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd
SHA512 a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

MD5 909324d9c20060e3e73a7b5ff1f19dd8
SHA1 feea7790740db1e87419c8f5920859ea0234b76b
SHA256 dfc749d2afefe484d9aa9f8f06d461ad104a0ca9b75b46abfaaddda64a5e9278
SHA512 b64d2dce1f9a185fbb8a32adc1ff402d8045d379600bf3f9154bbde18303610f18af9fce258442db1e621ecf10b77aafe99cffedfcbe2a1490056c50cc42d0f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

MD5 d55250dc737ef207ba326220fff903d1
SHA1 cbdc4af13a2ca8219d5c0b13d2c091a4234347c6
SHA256 d3e913618a52fe57ab4320e62a5ace58a699d6bce8187164e198abe3279726fd
SHA512 13adff61e2cfa25dc535eba9d63209b7e7e9bd29fc4d6c868b057df7f680aa66ef5783a0e82a8367185debf7f6fe5bae89adc0770daff5317d2e16db5ad3ab39

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 866e172ac1dc27cbc741ceda7500f40d
SHA1 7e5873199a26d7d3082b6a41ec348acdf39c6041
SHA256 e99dc51d229128723a33c633ed3ce1596f6213f319494303f45a3389c0927bec
SHA512 3f32fd39e14b46f197ff66fda4021ccddb42ba17661e8e138b88c5086bcd97f3cfe71b0a93a2acd71295fc5b17abeaaa2b5fcd80991504b48237edc1f091c23a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7a527ffef18934193557efd822859646
SHA1 770e5f9e5266acb01893f5757f6d95eed82b8ac1
SHA256 21cbc55e32a013b0f9662db957d1e3d263778093afecd025eaf1b60f9278a046
SHA512 fe1157197018e7bb78b7160c9df9e3342cf31d1cfdb19d5a0b2fbdfd1ccfda24f83998b4fdd13f00d859231014bb1f0420e4f4aecab7afacbd7782b8d34e2192

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

MD5 b3ba9decc3bb52ed5cca8158e05928a9
SHA1 19d045a3fbccbf788a29a4dba443d9ccf5a12fb0
SHA256 8bd1b2afcbe2fa046b0937197f1b2f393ef821ff89331f99754b9006f0114df4
SHA512 86a86d370e96fa29c0c1d12991c2287936b400830869ff7b5abe4de6f32db2df782b626d724496cd6de27f8cbd32101ba34cbcd4c650ef11afa26bc048d68529

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 c0499655f74785ff5fb5b5abf5b2f488
SHA1 334f08bdb5d7564d1b11e543a2d431bd05b8bdd1
SHA256 6aa332a4d21802b2dbcd08e153764da60f538ceb0daaaaf7504ba8f67c08ef03
SHA512 5f0cec6dd823f2b3ac62017383dbbf71ed38893724312ec75e73fb197e0bcd5418bb70fdfe9150f5ca495d5f8547d8a08618bdacb5010514a3cb1101437d698e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c719925c3d223837f50c29c7c0959689
SHA1 373bec8d9f6f988051abcd01255dfc53ba05e7b0
SHA256 f8ca406536cde9aece6c0e845e9e359fce364e40a48c23a7d512f7a6a291c0b0
SHA512 e54c97bbf8f0c023db615b883545390b38e879cb35ac6c5067cbbc1d612d811aaded3f4cb1f2d3ca8d17bd6d3230a5ce3a4d970737d8dd37ca5c7c94173884ce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 92e7629827a2df9dfa63238c4b89713c
SHA1 91f2fa9024deafede49c45d2d7f99343ba820cd8
SHA256 0e1e48953593565b5826313a8a812a26366b7a8d17f046d7522e833ad567e3c5
SHA512 510bd062d83206f09957a10813e865eb89e5fbd397bbb7e8e4457788cf512c19edecae70e5206a83c3404d870e174a005f9681693053134378eef0dee954ea48

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588cba.TMP

MD5 c722d457af164a1c25037b61b17d39de
SHA1 ea69fab4f0e75ed62db6ad52ca8ceb9f6bab6b5b
SHA256 93e4bfe36c649921a6f2adff2e20ad242d95ad0c71db4b1e231780f3b62e37fc
SHA512 1fa9e733ec735d1d8a6efbbfa14b65b4e0bca05d03f72af97a7e5b1364615d8560af172d3ea34565c50704621436c29765b89a268299a8eb1f2351611d6e0b1c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\8f7abdeb3486c1b8780fede76afc20e044eff1b5\index.txt

MD5 ecdf5ed9753e6f60996f9a61e64aee11
SHA1 0f650fa8414e9733b4b209c8e53d0fa7005886a2
SHA256 3b0f06ead053a8fb3907ea84d2d9d23cbb883db8af3d3c145e2b70a418a158b7
SHA512 eeb011bdd58542b93e1d0b69e71809d4834417bcbf3acad5affddf5d99215951246392be58c9608507378e2184c9903ef67dcf3f74033be7d103ad58e857e272

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 1de34aec46e68314694a0bd4af5c51db
SHA1 b07bb11e11bde5e2222bcb26ac3da56f350c3861
SHA256 abecc09c02670855fd352a4e62271c57c3d732a87e1f65b81ff8a1134f52d8c4
SHA512 43ebb1ec341bdaaa86cbbdc8f57c37600cbe3cf0d1498fb30fd743c4325026b67942a76eafc2c4c2e448671a7ff24821b76a54205b19d861bb5e6d0c183285d9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 cb4cd690c9a933f8dd30127b3d17006e
SHA1 40a0459871e33dc2c0db99eb49d01aa45b06f464
SHA256 f255fb981672651ce74688fab12af20f7c77fd2afad6448e374965c87474c02e
SHA512 e1670b7d2babe0fa7f968c5bb8cc5354c39c65132d0457374451e2660f1f161b5e1c51fcd5e4a28d34b20d34442db313645dc65cce37913f259f260c710ba1a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 b8ec85cb9fe4efcfea8347627f6952cd
SHA1 c136dd4ff421e5aff61cc4ce57e5417ce7511d61
SHA256 0bc44adacdc8586cf004756b5a3cc7b7712e6c5d0a3547d349507276c5c59a8f
SHA512 5bb6827ddf62321a6d2fbf8d08c2b0c9473ab8846fbeec80852abcd05e8dc860b335aa7ffb4e73e741767ba116f5f95008083b97d7393526a4525243a3028cc7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ac18b4a0333432dd48ca50f98053a4aa
SHA1 f17a44bd10a3febfd5ef0ab71b9b834d67a1c8c8
SHA256 8f11a11fd711e2fc0bf9cca7597fbad95fa3911311deed62694615ad1a136f25
SHA512 9282510ead016072a2f5c9e72df559b444a100225d996371e94c818974afc42933edc7a7b19e50547f5e616ed73d88f99958fe2117ecf8f06a727bf2e635b96b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 1405c741f63755795d19edd9b373e963
SHA1 a30ba71fec0435ea132c1d7d3b6a1e79ce0cd48e
SHA256 c5acba901b26f4961e178e4da20c011a2f2d9645e0c97c8fb6cbb901abecc45a
SHA512 303aad1564212a55b10f13b98b5f1474689ebe0aaa4a25144b4da83953a11e87caff6fa852d275de90e68a6038c4029d0eb7edb4fd792267c7c1efdf4d1c3946

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58bf53.TMP

MD5 146adbfaa48e3a6b7c51fe6b638af9f4
SHA1 f1fbf1fea98d0eaa167b82c0fb3164c9d20e6896
SHA256 7fd77b0df5dee2ffd952317fa0b10c7b0d82c96795a5b072f4c65d6732fe3bdb
SHA512 dd2bb5170ad9495de4914969c937e374e0198d8531c01f34cb26e01f758f46bc56cac2a7a09cbc4925b2963d8bcc403b6ee485f81c36407010e1341b6025ec83

memory/4144-1131-0x0000000002550000-0x000000000258C000-memory.dmp

memory/4144-1142-0x0000000075150000-0x0000000075900000-memory.dmp

memory/4144-1147-0x0000000007950000-0x0000000007EF4000-memory.dmp

memory/4144-1150-0x0000000007440000-0x00000000074D2000-memory.dmp

memory/4144-1155-0x0000000007660000-0x0000000007670000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 4eee35bef8796d3d8de9b89d07efff62
SHA1 e08a52572e11952dcddd6a32fac2901cd9998a69
SHA256 72557c6d81f3b23b3cc2eede0403077890c00147f47e7efb9680d7071853da5d
SHA512 431ad03ff79fe2229a06c7e7954b7dcb765b50c9ef3c02936297b5336d2c287ade88c38011ee54fa0935e7bf806072b764ce37f7b7606a36608186e4dbe8decf

memory/4144-1167-0x00000000075E0000-0x00000000075EA000-memory.dmp

memory/4144-1170-0x0000000008960000-0x0000000008F78000-memory.dmp

memory/4144-1171-0x000000000A2F0000-0x000000000A3FA000-memory.dmp

memory/4144-1172-0x0000000008940000-0x0000000008952000-memory.dmp

memory/4144-1175-0x000000000A220000-0x000000000A25C000-memory.dmp

memory/4144-1180-0x000000000A260000-0x000000000A2AC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 1841cf73bd2dcc96e98c6274098b3f81
SHA1 3d96c3aa6ce03e7b9de96b86f2116eb2bca52ac9
SHA256 9a8a810b1739b91e2df4cc8c5a93d1abe758f8efb5fa6454e552e5ade5f48c54
SHA512 89c827529b076f8d2736ba258489b401ba1a1d1bc8d7407c971e066dbb800cba76ce9571c346f8edee992a6099578cf9db7400fdab7ca69d691ac0f0b5e31edf

memory/4144-1265-0x000000000A4B0000-0x000000000A516000-memory.dmp

memory/4144-1288-0x000000000A870000-0x000000000A8C0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 70e412ae2a9c0939b14bcac69aec1482
SHA1 0ed0bd9302ed3b395bed9ed70d4e197d54d495be
SHA256 051037f904022c454bfe2da054536c1d11fd611d5c6472bf5756fd0ad271471a
SHA512 4755d7fa01feff2ef462dd78d2b1db579063de6383f48e6ff5f562577444eb1d4cbed93577b14716f0351653f65bd04d70b50fe61b16d503327c4f6e2e79f362

memory/4144-1304-0x0000000007660000-0x0000000007670000-memory.dmp

memory/4144-1375-0x000000000B670000-0x000000000B832000-memory.dmp

memory/4144-1378-0x000000000BD70000-0x000000000C29C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 56b9cf6c617ba45b4f10622549ebd641
SHA1 fa9b33f75d10100594f53da20595da3d33b1162c
SHA256 6bb9bda92152137a85968bbe137edc4b33f2c78174501cd81ed795454625e94d
SHA512 6efc0c3a73cef1890be620cfbc509a258f52940db682662621ee7addb6cf24f1b7d6a55f2892dc4013a6a7a7b143ecbe2d50eacc9a5ad06cb2a13b43f12600e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 050b28330a355aa4eb2703d2dfd93fb3
SHA1 a7c4a5632d488e041290fb9727db09a844b5e612
SHA256 647e26947d6a451bd7603d26eab59ee74b2fe159b45e1633d0f4efa4c10c78f0
SHA512 ed13f95d27f93a20fd14ce8d2eff9d1feef64b6d463efe2aa8ab411f44bff80e15ac5458f3356413ff56d638dfc5d4be065f18aaaebbf885ca4d3ba79e170df2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 165c86c0f68b4294ca9541bf90f7d3a0
SHA1 5b7e412b3e6e4cb77866c8ba18d842a7d0173970
SHA256 6d38cc3c624b23ecc95198e461edab9f5e1e08fc980f02e7b536a0dd17ea3067
SHA512 55aace9cebac240f0110cae099f354077a9516f5746446f8f6bfc95b9eb1f4c493a5f4cc5226b5b351de025b09e06d5a6f7b9d08806f7e6ea69488bff300b5f7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

memory/4144-1423-0x0000000075150000-0x0000000075900000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f70c20290a2e195b40e725143f419596
SHA1 df5a78790a0dc7171257ec02df59e1759f0eb0c5
SHA256 3ef19b4febc08f6628ba4fa7cee7ba27307204aaed7b5bb077630249a1537c1e
SHA512 37e06b4ab99a9e58955e60ff17a135d847be6fbf861091d9f1a53dc3fdd7ff2fa4b9e1cdd2677cfb65be2eeb8601bd9a58a23b0fb00b7f3ed91ef4c4e5c4b502

memory/4144-1442-0x0000000007660000-0x0000000007670000-memory.dmp

memory/5852-1445-0x0000000075150000-0x0000000075900000-memory.dmp

memory/5852-1446-0x00000000004B0000-0x0000000001966000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 94a2400ff60adf6ed00ee9e52062f142
SHA1 79c5358e861186a0d2b100701a931dee8380f4eb
SHA256 ff380e02f3695245e0ae80591055651504e35417ad9564b396a57dc33038ed63
SHA512 25de717b14b9eb433ff111c6232f1f203c777566b8e4b71cca9b8adde47ee335968e155b146b16035b082ed87321dd2b15d5b5a42046565745b0f0c4889b2dac

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1a692b3e4b38b7f3bcfc4a41b48107f9
SHA1 4504eff115b82364d6b939c8916926b7834bff7b
SHA256 44e931546e99805e15906f972323168ea3fc28e4b3b891f12706238c4419183f
SHA512 7a15da965ad542b1e4cd00e2ccf55745511067301884cc1579ab4fb2bbcd98f8949450f7eba917da04fd9c125934235371b256186c8788cf5043bada5da2cec4

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 36322b65968a6e57b57dcc18722a072e
SHA1 df2e5b4dbf462c975286e5e9a7c603f1028ed952
SHA256 dad40b4d5a65b829214837d6b37ae47e58dd31a2aad862e53c2976eb40b599f7
SHA512 345a91dc4108a6c748f523d697b04e199e2e8b612554877180694ef3f4f9e01be5f736a8d6b6dcdae118bbfb5cf905966074104ac1babac65d15cb9386f5e519

memory/6268-1478-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

memory/6520-1480-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 dad964f7fba301a84efeafb2150d4396
SHA1 2657aa0b73c3930b3ecdf3a61d46fc42c91641c3
SHA256 8548e1fbda030faad86295e40cb577dd08c568e820590d142874439baafc80e7
SHA512 2282afd07bb0af5f632dbfdac418d2c7f34e4ed53a04c0a75ea26b7c0c1565d13d345af9cd4423fd104814f2dd9742fc858f3bf87a8741447972ea9fc48a476a

memory/5852-1491-0x0000000075150000-0x0000000075900000-memory.dmp

memory/4144-1504-0x0000000007660000-0x0000000007670000-memory.dmp

memory/7056-1505-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

memory/940-1632-0x0000000000400000-0x0000000000785000-memory.dmp

memory/940-1633-0x0000000000400000-0x0000000000785000-memory.dmp

memory/940-1636-0x0000000000400000-0x0000000000785000-memory.dmp

memory/6352-1639-0x0000000000400000-0x0000000000785000-memory.dmp

memory/6252-1641-0x0000000002A10000-0x0000000002E09000-memory.dmp

memory/6252-1642-0x0000000002E10000-0x00000000036FB000-memory.dmp

memory/6252-1643-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4472-1648-0x0000000000400000-0x0000000000409000-memory.dmp

memory/6520-1649-0x0000000000400000-0x0000000000414000-memory.dmp

memory/6864-1646-0x0000000000860000-0x0000000000960000-memory.dmp

memory/4828-1652-0x0000000003040000-0x0000000003050000-memory.dmp

memory/4828-1651-0x0000000075150000-0x0000000075900000-memory.dmp

memory/4828-1653-0x0000000003040000-0x0000000003050000-memory.dmp

memory/4828-1650-0x0000000002FA0000-0x0000000002FD6000-memory.dmp

memory/6864-1647-0x0000000000960000-0x0000000000969000-memory.dmp

memory/4472-1645-0x0000000000400000-0x0000000000409000-memory.dmp

memory/6268-1644-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

memory/4828-1654-0x00000000058E0000-0x0000000005F08000-memory.dmp

memory/4828-1655-0x0000000005630000-0x0000000005652000-memory.dmp

memory/4828-1656-0x0000000005F10000-0x0000000005F76000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iulwihcg.4yx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4828-1666-0x0000000006180000-0x00000000064D4000-memory.dmp

memory/4828-1667-0x00000000065A0000-0x00000000065BE000-memory.dmp

memory/4144-1670-0x0000000075150000-0x0000000075900000-memory.dmp

memory/4828-1671-0x0000000006B50000-0x0000000006B94000-memory.dmp

memory/4828-1672-0x0000000003040000-0x0000000003050000-memory.dmp

memory/4828-1673-0x00000000078E0000-0x0000000007956000-memory.dmp

memory/4828-1675-0x0000000007960000-0x000000000797A000-memory.dmp

memory/4828-1674-0x0000000007FE0000-0x000000000865A000-memory.dmp

memory/6352-1676-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4828-1690-0x0000000007B00000-0x0000000007B1E000-memory.dmp

memory/4828-1691-0x0000000007B60000-0x0000000007C03000-memory.dmp

memory/4828-1680-0x000000006C8F0000-0x000000006CC44000-memory.dmp

memory/4828-1679-0x000000006E6F0000-0x000000006E73C000-memory.dmp

memory/4828-1678-0x000000007F7A0000-0x000000007F7B0000-memory.dmp

memory/4828-1677-0x0000000007B20000-0x0000000007B52000-memory.dmp

memory/4828-1692-0x0000000007C50000-0x0000000007C5A000-memory.dmp

memory/3356-1699-0x00000000030C0000-0x00000000030D6000-memory.dmp

memory/4472-1700-0x0000000000400000-0x0000000000409000-memory.dmp

memory/6252-1716-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/6268-1717-0x0000000000400000-0x0000000000965000-memory.dmp

memory/3352-1719-0x00007FF6C0B40000-0x00007FF6C10E1000-memory.dmp

memory/7056-1720-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/6352-1723-0x0000000000400000-0x0000000000785000-memory.dmp

memory/5736-1803-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/6352-1827-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C33A.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/5736-1902-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/6352-1928-0x0000000000400000-0x0000000000785000-memory.dmp