Malware Analysis Report

2025-03-15 05:09

Sample ID 231212-ay3lqsdbg7
Target 33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6
SHA256 33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6
Tags
privateloader redline risepro smokeloader @oleh_ps livetraffic backdoor collection discovery evasion infostealer loader persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6

Threat Level: Known bad

The file 33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6 was found to be: Known bad.

Malicious Activity Summary

privateloader redline risepro smokeloader @oleh_ps livetraffic backdoor collection discovery evasion infostealer loader persistence spyware stealer trojan

Modifies Windows Defender Real-time Protection settings

RisePro

RedLine payload

PrivateLoader

SmokeLoader

RedLine

Downloads MZ/PE file

.NET Reactor proctector

Reads user/profile data of local email clients

Windows security modification

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Drops file in System32 directory

AutoIT Executable

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

outlook_win_path

Creates scheduled task(s)

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Runs net.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-12 00:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-12 00:38

Reported

2023-12-12 00:40

Platform

win10v2004-20231127-en

Max time kernel

71s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Yh20yP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Yh20yP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Yh20yP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Yh20yP.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Yh20yP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Yh20yP.exe N/A

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Yh20yP.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Yh20yP.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kr2Nk72.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SQ3TV37.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nB6gu44.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5ng0zR7.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5ng0zR7.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5ng0zR7.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5ng0zR7.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4qJ029WZ.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4qJ029WZ.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4qJ029WZ.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Yh20yP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Yh20yP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Yh20yP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4qJ029WZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4qJ029WZ.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4qJ029WZ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Yh20yP.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 964 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nB6gu44.exe
PID 964 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nB6gu44.exe
PID 964 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nB6gu44.exe
PID 3016 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nB6gu44.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kr2Nk72.exe
PID 3016 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nB6gu44.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kr2Nk72.exe
PID 3016 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nB6gu44.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kr2Nk72.exe
PID 1664 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kr2Nk72.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SQ3TV37.exe
PID 1664 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kr2Nk72.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SQ3TV37.exe
PID 1664 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kr2Nk72.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SQ3TV37.exe
PID 212 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SQ3TV37.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe
PID 212 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SQ3TV37.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe
PID 212 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SQ3TV37.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe
PID 3608 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe C:\Windows\SysWOW64\schtasks.exe
PID 3608 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe C:\Windows\SysWOW64\schtasks.exe
PID 3608 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe C:\Windows\SysWOW64\schtasks.exe
PID 3608 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe C:\Windows\SysWOW64\schtasks.exe
PID 3608 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe C:\Windows\SysWOW64\schtasks.exe
PID 3608 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe C:\Windows\SysWOW64\schtasks.exe
PID 212 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SQ3TV37.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Yh20yP.exe
PID 212 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SQ3TV37.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Yh20yP.exe
PID 212 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SQ3TV37.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Yh20yP.exe
PID 1664 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kr2Nk72.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4qJ029WZ.exe
PID 1664 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kr2Nk72.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4qJ029WZ.exe
PID 1664 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kr2Nk72.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4qJ029WZ.exe
PID 3016 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nB6gu44.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5ng0zR7.exe
PID 3016 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nB6gu44.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5ng0zR7.exe
PID 3016 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nB6gu44.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5ng0zR7.exe
PID 964 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe
PID 964 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe
PID 964 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe
PID 1292 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1292 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1292 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1292 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4476 wrote to memory of 1512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4476 wrote to memory of 1512 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 1248 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1292 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1292 wrote to memory of 1472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1472 wrote to memory of 4896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1472 wrote to memory of 4896 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1292 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1292 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4988 wrote to memory of 2668 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4988 wrote to memory of 2668 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1292 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1292 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4468 wrote to memory of 2584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4468 wrote to memory of 2584 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4476 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4476 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4476 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4476 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4476 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4476 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4476 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4476 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4476 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4476 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4476 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4476 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4476 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4476 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2037190880-819243489-950462038-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6.exe

"C:\Users\Admin\AppData\Local\Temp\33aed805e114f04f73f867fdb7cf904e15447aa47f74e094c024c9b18c217fe6.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nB6gu44.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nB6gu44.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kr2Nk72.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kr2Nk72.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SQ3TV37.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SQ3TV37.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3608 -ip 3608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3608 -ip 3608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3608 -ip 3608

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3608 -s 1856

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Yh20yP.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Yh20yP.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4qJ029WZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4qJ029WZ.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5ng0zR7.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5ng0zR7.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff98f6c46f8,0x7ff98f6c4708,0x7ff98f6c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff98f6c46f8,0x7ff98f6c4708,0x7ff98f6c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff98f6c46f8,0x7ff98f6c4708,0x7ff98f6c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x174,0x178,0x17c,0x150,0x180,0x7ff98f6c46f8,0x7ff98f6c4708,0x7ff98f6c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff98f6c46f8,0x7ff98f6c4708,0x7ff98f6c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,5994895325614359886,14095569812190321911,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,5994895325614359886,14095569812190321911,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2884 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff98f6c46f8,0x7ff98f6c4708,0x7ff98f6c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3508 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3496 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,10293378502278978339,4705313938204423282,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3428 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,5049390155496688028,16797316299185368031,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 /prefetch:3

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff98f6c46f8,0x7ff98f6c4708,0x7ff98f6c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4268 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff98f6c46f8,0x7ff98f6c4708,0x7ff98f6c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff98f6c46f8,0x7ff98f6c4708,0x7ff98f6c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff98f6c46f8,0x7ff98f6c4708,0x7ff98f6c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7548 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7548 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7124 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7820 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,14601913148608587645,5412505835845961888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7492 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\3081.exe

C:\Users\Admin\AppData\Local\Temp\3081.exe

C:\Users\Admin\AppData\Local\Temp\6B58.exe

C:\Users\Admin\AppData\Local\Temp\6B58.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-BS56Q.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-BS56Q.tmp\tuc3.tmp" /SL5="$701A8,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\7E16.exe

C:\Users\Admin\AppData\Local\Temp\7E16.exe

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Users\Admin\AppData\Local\Temp\854B.exe

C:\Users\Admin\AppData\Local\Temp\854B.exe

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 1

C:\Users\Admin\AppData\Local\Temp\89FF.exe

C:\Users\Admin\AppData\Local\Temp\89FF.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 51.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 steamcommunity.com udp
BE 64.233.166.84:443 accounts.google.com tcp
US 104.244.42.65:443 twitter.com tcp
US 8.8.8.8:53 store.steampowered.com udp
IE 163.70.147.35:443 www.facebook.com tcp
GB 104.103.202.103:443 steamcommunity.com tcp
US 92.123.241.50:443 store.steampowered.com tcp
US 8.8.8.8:53 www.epicgames.com udp
BE 64.233.166.84:443 accounts.google.com udp
US 44.196.86.250:443 www.epicgames.com tcp
US 8.8.8.8:53 65.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 84.166.233.64.in-addr.arpa udp
US 8.8.8.8:53 35.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 103.202.103.104.in-addr.arpa udp
US 8.8.8.8:53 50.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 www.paypal.com udp
US 151.101.1.21:443 www.paypal.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.169.46:443 www.youtube.com tcp
US 8.8.8.8:53 250.86.196.44.in-addr.arpa udp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 84.239.225.13.in-addr.arpa udp
US 8.8.8.8:53 46.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 tracking.epicgames.com udp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 52.203.233.59:443 tracking.epicgames.com tcp
US 8.8.8.8:53 www.google.com udp
BE 13.225.239.46:443 static-assets-prod.unrealengine.com tcp
BE 13.225.239.46:443 static-assets-prod.unrealengine.com tcp
GB 172.217.169.46:443 www.youtube.com udp
US 8.8.8.8:53 i.ytimg.com udp
FR 216.58.204.68:443 www.google.com tcp
GB 172.217.169.54:443 i.ytimg.com tcp
US 8.8.8.8:53 200.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 23.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 46.239.225.13.in-addr.arpa udp
US 8.8.8.8:53 68.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 59.233.203.52.in-addr.arpa udp
US 8.8.8.8:53 54.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 api.x.com udp
US 8.8.8.8:53 abs.twimg.com udp
US 8.8.8.8:53 api.twitter.com udp
US 152.199.21.141:443 abs.twimg.com tcp
US 104.244.42.130:443 api.twitter.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 172.64.150.242:443 api.x.com tcp
US 8.8.8.8:53 video.twimg.com udp
US 8.8.8.8:53 t.co udp
US 8.8.8.8:53 pbs.twimg.com udp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
GB 199.232.56.158:443 video.twimg.com tcp
US 104.244.42.197:443 t.co tcp
US 93.184.220.70:443 pbs.twimg.com tcp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
US 8.8.8.8:53 www.paypalobjects.com udp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 141.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 242.150.64.172.in-addr.arpa udp
US 8.8.8.8:53 158.56.232.199.in-addr.arpa udp
US 8.8.8.8:53 197.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 221.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 70.220.184.93.in-addr.arpa udp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 130.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 static.ads-twitter.com udp
GB 199.232.56.157:443 static.ads-twitter.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 157.56.232.199.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.147.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 c.paypal.com udp
US 8.8.8.8:53 www.recaptcha.net udp
GB 142.250.200.3:443 www.recaptcha.net tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 192.55.233.1:443 tcp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.1.35:443 t.paypal.com tcp
GB 142.250.200.3:443 www.recaptcha.net udp
US 192.55.233.1:443 tcp
US 8.8.8.8:53 b.stats.paypal.com udp
US 64.4.245.84:443 b.stats.paypal.com tcp
US 8.8.8.8:53 35.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 84.245.4.64.in-addr.arpa udp
US 8.8.8.8:53 dub.stats.paypal.com udp
US 64.4.245.84:443 dub.stats.paypal.com tcp
FR 216.58.204.68:443 www.google.com udp
US 8.8.8.8:53 c6.paypal.com udp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 sentry.io udp
US 35.186.247.156:443 sentry.io tcp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 156.247.186.35.in-addr.arpa udp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 api.steampowered.com udp
GB 104.103.202.103:443 api.steampowered.com tcp
FR 185.221.198.96:80 185.221.198.96 tcp
US 8.8.8.8:53 96.198.221.185.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nB6gu44.exe

MD5 1f2fc7af940bef8238a49d7d653b7617
SHA1 57910a5978a3be99885c1dbb8228d91e56b80575
SHA256 0e750224b738ef2d29961888216aee17e70d96e503b95545b9e78c812103faf0
SHA512 72e69291a95f82af04f985d6d2763be44c6adcac47120bdd26fda25e13edb531150e7b11555e17d29b5527edadaf565d02a64e7b0d6e6fd46cafd31936acd915

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nB6gu44.exe

MD5 982dad34cc9b1f23304a5c01920b8816
SHA1 19155210974ead82c14d9a47726b0d8794c52eea
SHA256 fb623d37025a51390428585bd24964cdc57c1af74ede7ab2edfba4717b1c5ea8
SHA512 cf1b28e46513789b3f857c350b152b62dce7cfab64aeafca3e02b82c275acf667b2a9265f07e11d1a8c97411b50506c7ad331851e310ef5dbd9dd3f88f1d1d45

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kr2Nk72.exe

MD5 62b6663d3abff384919de48149186b59
SHA1 70ebc98c14757dcd367156d7a08ef6f446bbd77c
SHA256 f24ea3a116b9a9f562ec59634201d6adc0395b5d928cbb40b5bf02777ec37151
SHA512 0221412893d6000570ba510efbd3fe31763e158feca87a4174e803249849037436219566df986112bd4fd9b1ad296d5d8ada5aa6ea2f0851f4bf9076a7e1e06e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kr2Nk72.exe

MD5 8eb334374355b426071ed512c6cb3eef
SHA1 4fa789f8b6ddc00b47d72759f1bd39b1822d52b1
SHA256 46d9b7a0d62fcc5a88722f141da00568079ebb408ea6e7a61ab7debcd15a1240
SHA512 f1754dddbfea71fd396795a89c5ad4ef0771dca8d69b587175c87a75b61ce2071350b80dde66c317832d5ff5acd16c80dcc12b48a7cbc3a7dce9d2f42cd960c5

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SQ3TV37.exe

MD5 5787e529811ff703799fddffc49b8697
SHA1 1b0934ba27b8be36a7a544cb457ae100ec64c992
SHA256 6cdd6b4f4479597c952a4c369501388a410d29eda19ffa8d5675eb3a6aa2e694
SHA512 387c8123b269bf257e26517a276a6b6d11d536bc745d1d3914a12305fbf629d2438de96116690e70788f8b71027216c508f83d472a7bcaf58cfa6cba3fcc1b9c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\SQ3TV37.exe

MD5 7313b94e532bf299cce6db5eb89b4215
SHA1 56bf4fc8e32b62d6fb5b70a2cdbf1b0cb7c5a931
SHA256 b06167825c7f08d95bb71763b5f5064ddb682477595d9d153c5b2a70b445e603
SHA512 ec2a3fc9be6a42a10162d1eac7a3ff5bf5fc3ed4043f22c079182b3de7785b21612ec854f28133bc2eb0b5d395825c3f295f33a621f954a6f66fb37b9515bdb0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe

MD5 dceb886221af903f0f492b2030764e07
SHA1 00bee30c5ee5576f65f432a92f2c293d1841f5f4
SHA256 50a838621fdfb82a3e67f91f25cef3e5469ebbe6a71b10155f79694e35a74382
SHA512 8fec393b9ccd8689d3e99d6fc736632b81fd07b0331058a0dc3ee47b0fa20d9179fbe8266ef63118b323c82b0f481426cbcbc67e1d1f730991f9c7be9009d6e0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1GN18rb6.exe

MD5 dcea3ce795b368d927921a84ae80274a
SHA1 c993a5807666f77a6b2b76807cb3c83761758297
SHA256 070965ba8f60d22c6e8a6c672e0c57485ec53125193c7e5f0ba508b3bb16ffa3
SHA512 153b52aa1f9a8da903820e267d2f99d2103eb393b78c027597872deeb687ef9984675c4a5ec128d019180a8a3d8acb53ad8f7d03edc3b5e094fbc2db0892f6d7

memory/3608-29-0x0000000002650000-0x0000000002724000-memory.dmp

memory/3608-30-0x0000000002730000-0x00000000028C5000-memory.dmp

memory/3608-31-0x0000000000400000-0x000000000090B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 cca2babf22722d42883aa897e3bed8eb
SHA1 f86b306f1716bfa3b2c9696930c756fb2b9eabd8
SHA256 efbf367f505064f1edfd769388b6a3410516680eefe8838079f05a6e4e601f0e
SHA512 67b10850335fa15ef0151b97671e7671c5664813f07c7afb179b47010675968598e97d02de8ba779d546d6369b794e98b512f25b4df9ec90dc48b1e562f78017

C:\Users\Admin\AppData\Local\Temp\grandUIA9Bra2e2ZjwnIy\information.txt

MD5 183d60ec48d768d937e46190b25c8b86
SHA1 4646be2a0d34caa773efa81c54f42d75a16d1f63
SHA256 8e5ce77364aa0b5f7f7e9179a7963a714ebe8ac853fa685b7c90654ad0be13a9
SHA512 41c61629ed9008ed2844c63dbff41f802f2ae4482d6a876a5db6ba9885401ab6a6e06b8209d17b37470953ee3f4b8ec1fa6d701272abdcf30ad0ef20449577ed

memory/3608-108-0x0000000000400000-0x000000000090B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Yh20yP.exe

MD5 9db0040eadb583495203845d5fcd1dcb
SHA1 c23a9b2277846dca6e0af2fc81b93e104a5f1d7d
SHA256 205ca1621054dc723f66aa2afbd73298591acfd5f18c751a3a1763e76a7ef7c7
SHA512 12a3a5fedd43e013a5225dfb81c3383451ab7c5db0b1f28637d50b68f33aee7f7e98931869b1a91598e9868253d41c78857778123ffc8f1d152ad986a75cf705

memory/4032-112-0x0000000002380000-0x000000000239C000-memory.dmp

memory/4032-113-0x00000000744A0000-0x0000000074C50000-memory.dmp

memory/4032-114-0x0000000004B60000-0x0000000004B70000-memory.dmp

memory/4032-115-0x0000000004B60000-0x0000000004B70000-memory.dmp

memory/4032-116-0x0000000004B70000-0x0000000005114000-memory.dmp

memory/4032-117-0x0000000002440000-0x000000000245A000-memory.dmp

memory/4032-119-0x00000000744A0000-0x0000000074C50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4qJ029WZ.exe

MD5 37bb4515f1d4bb55bac850b890d25da3
SHA1 1321492166e42f29fb3d561e178106d7cda985b0
SHA256 427265d40ef6306770a9ccf28a7d478e79d3f8e4a21c8f84ecbc48ff62baf77a
SHA512 e346e3a179d3209c5a4d1f38ff248987872d0495c41eb4d0fea888d6d16f5ec205f9dc0261ca0ef5134738a815ab944ed569531897aee403f1a2da1a90404ca9

memory/1420-123-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3392-124-0x0000000003130000-0x0000000003146000-memory.dmp

memory/1420-125-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5ng0zR7.exe

MD5 e8787eb7e3e319f7bcf0a40a560cc55b
SHA1 86b2497bf24894a3e55a877fc1008d2c47ee5dfc
SHA256 a5f975ce435368727680a8d1d657b27af8640e879ae64c4d3f97280ce92b42f7
SHA512 fb272c699c8002412ddfd859353792d15df4b6967a744f7e184801215b1b0a7a64cccf5583b2c590c14cc1dc459105dda9a96a4a757349e437b2425eba831598

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

C:\Windows\SysWOW64\GroupPolicy\gpt.ini

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\rise131M9Asphalt.tmp

MD5 c444cb5e3e6ea4a1f6b06b85e47dc14a
SHA1 a303d230ec2e863df158c2d03aaaa62dd5626288
SHA256 8fd7a4784225bce221b811a0e881da9a528e10146117424c77f56ab9bd6c2fc0
SHA512 1889d8fc0a23b95b8717756606cce06bba642624632eeb0f04292eb1fc9222030e7a2280f4cd7822cb6b7d0e899f31b36d97a4c0f66a4416277990406549ea9b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk

MD5 9e4fa64948966e685e69fa57d71bdcd0
SHA1 4104727ca524a74f505f37c5a012b0d851fcd41a
SHA256 6f5d884729ff88b905d9f387ee60dfa606c038226515c79b627e726b57c6f6d9
SHA512 79cd66e1187d4f2e08aeda04ff72790c10c040fef74c8e9de06ae86dba99b52ab19f0a0bf0d1da3ef0cf273c75b0f8026fbda0d6cec9c639fc06bf39e4f891ce

C:\Windows\System32\GroupPolicy\GPT.INI

MD5 7cc972a3480ca0a4792dc3379a763572
SHA1 f72eb4124d24f06678052706c542340422307317
SHA256 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512 ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Nz8NY09.exe

MD5 2f13f77bb68563d9de0cd8c12cc1cccb
SHA1 95b7355001afe080aa8de09671a1ae4f07b0d9e8
SHA256 290914a4b424312f4dbc59903438146ed3d67ce019f8909ddf8cf94af1cb420b
SHA512 d250f9885a97924ab7e2a34526602d71563433780c3d86f41cb7b06887831e27473ddca5c16c1e81f8e9f6103f8abb08df17d96e0678f277151ba7decb4cd1b9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 fcd8bb32c04fa99657007efde87bbbc2
SHA1 ce575cef42840e731c9834e27efa02efa0c57a6b
SHA256 2e3fecfa2023e8f7b14c40277a60b0c781659ae240a32ae2521f7fa0f000744f
SHA512 b87bece2e0850f523206684c555cf80b348f794d51e8e0f7cf9c0ef054fc103885145acde9698dc363e8162aeaa4495a180825836e3fb92d4a3220f3359f57c9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e5c27b4a4d5a3c9c60ba18cb867266e3
SHA1 dea55f1d4cdc831f943f4e56f4f8e9a926777600
SHA256 860ed0acc83eb0096cc8911725e2c631ff879ad8c35854577651af502c4b69c9
SHA512 56eda28e9c61e8081dadc220d23e7bb3320a9ba557eb7511d17a3d2836aa61f301d1d714a3d611eedd7c4b91886c790af7366b01acdb3b637f3dc4fb024f3f6b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1449c4c27e49909c5c0e4cad14248c6a
SHA1 153e2eff9338a007283df3397882f6a8c4ce3781
SHA256 e072aa928a6d59f04b3ce4f7f061528fede4899626de5ddb80140037b263fac5
SHA512 0e0891042a8024a0d34ca96ba99807fcb97a60fa9ff0436ff3b136d2f71f9f1bfa2bc6154b9b321814dda14f47f4ccfeb561dc6f77ee07767ece3be21380abf4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0131c64d75954a93e680b15946425732
SHA1 917f7d7ed905d3b6c0e472c11124ecea3fc388d5
SHA256 25d79df5187d74c5e75e442d77e8ef0613f5827fac468f3df5472c2b281bc811
SHA512 31638a6023c1e3c0e627e4cebb4836bbeda872fc29c266bef9934866c1241de62fd2605d82831e3c92e5294ee32751fac446bb1fcc9ef53077e52d640768db2f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 156571adc8018153caab623a1ff14d12
SHA1 87acefa9cba437b97b885959fb3d5417df59c3e1
SHA256 6fabb41d3dc5e7b9d1310cc167123abc02eed6c771b967043e91743c0fd91a8a
SHA512 8e14346860a5768fe1bfff61efc93cf57653897eda63798b54b7acd61eaa2968852e66048e364af3e563657ac49175aa6b3bcbb2b721abb9454edbf12fe0a60b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b2b38380-5702-4439-952b-d49d3c79a5d2.tmp

MD5 355ca05607f6875dd7ac490b4e9ceb19
SHA1 8829097710fb56a4325a2243b0ef9dd037644ea7
SHA256 e48ae40999bfa698e33d3c0dafcb340b797bcd71a79a6f343e3b8bb238439d8e
SHA512 ad786e49055f1431bdf4f38353ea420669c7ef515ad0beb667d65b89db2d91bd331e4439a1d43e3fe232d6510623a1507a12139347058e554fb9aa5cdea18d6f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

MD5 923a543cc619ea568f91b723d9fb1ef0
SHA1 6f4ade25559645c741d7327c6e16521e43d7e1f9
SHA256 bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd
SHA512 a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

MD5 909324d9c20060e3e73a7b5ff1f19dd8
SHA1 feea7790740db1e87419c8f5920859ea0234b76b
SHA256 dfc749d2afefe484d9aa9f8f06d461ad104a0ca9b75b46abfaaddda64a5e9278
SHA512 b64d2dce1f9a185fbb8a32adc1ff402d8045d379600bf3f9154bbde18303610f18af9fce258442db1e621ecf10b77aafe99cffedfcbe2a1490056c50cc42d0f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

MD5 d55250dc737ef207ba326220fff903d1
SHA1 cbdc4af13a2ca8219d5c0b13d2c091a4234347c6
SHA256 d3e913618a52fe57ab4320e62a5ace58a699d6bce8187164e198abe3279726fd
SHA512 13adff61e2cfa25dc535eba9d63209b7e7e9bd29fc4d6c868b057df7f680aa66ef5783a0e82a8367185debf7f6fe5bae89adc0770daff5317d2e16db5ad3ab39

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 252a7a185db7fe915bf0315ebc54d242
SHA1 e3898710e250d0ffc86e3125932dab68fa10bb74
SHA256 30d6bda1140f5add506342ccfb1eaecb775858c9459c47ab282d4e036a920dcd
SHA512 dccc44c64791a65356eb59e5e2cfd9223862dd68bb3c1b7bb1ca81750e2e99ba73527c4183868e05d07431b5f5d2e2dabf0a62e745550532c0a875541b70d203

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6c13ac31f0dcb94de9c3f0c487975cc9
SHA1 a942ec8a6f0ff477147034132fc690032fc909a8
SHA256 721c12ba2d38f08fd3fcb0ddff0cea8419d2b6a496b03983c6f5bc05faa61ede
SHA512 c215903cfbe31a5a7528483671b93bd2fbcd5c5ae55df4a0762dc00a6daa88e72a6529139a45de70ed3b4141352019bc8c106f04acb34e796a646608510f199c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 e30738d93d6789672ce8e1c4bfe275a8
SHA1 ce2195ec1f2e3830b9a106a9dc8d7fa5397d10fc
SHA256 7d60046d1238ff11bdf616d83c212ad6866a7cc630ee9be8580050dee7f74832
SHA512 e39c9590f558477a1b823de555bf27542a725566d8bd839a1c493459444d49d755445d8ff34f59681ede12a8e654c5a7fc34b6008c9abcfd65d09f6b1b523a65

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

MD5 b3ba9decc3bb52ed5cca8158e05928a9
SHA1 19d045a3fbccbf788a29a4dba443d9ccf5a12fb0
SHA256 8bd1b2afcbe2fa046b0937197f1b2f393ef821ff89331f99754b9006f0114df4
SHA512 86a86d370e96fa29c0c1d12991c2287936b400830869ff7b5abe4de6f32db2df782b626d724496cd6de27f8cbd32101ba34cbcd4c650ef11afa26bc048d68529

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 925652d79f564bc2cf335359094cea11
SHA1 be62e0576d796f2cb92198320dce15c8a8f02b80
SHA256 1d95976664eadaf016b0bd2559efa8a8138d7b8f35c544c02bc67addd418cd9c
SHA512 d6cdea604251fdc5a116f2032d6063b34d383fdb44564f20332161e2e66f14c973a62ee7c38513161f57ae25b8470790348355e6b91b37632b7a400524624a51

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584e98.TMP

MD5 38b4e17d217c8ac6d055df5ee80eef0e
SHA1 dc89b0480135c9333de9c203adc9cea257c81f3d
SHA256 67ec0a48f690a138e86d17129ea4b6a420c0aa934151127c5cacd2bda501ea3f
SHA512 3a34c56fe3ff3f47ec14fddfb22c3da70c668d8408c5f477c0543df60ae1d405cbb319ba2e776c02b950fbc3c49c857dd4ba25a10fba0244f6abf8fd270c4af3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 50c2fdb2c813b4fcd58a83535a9a7c1e
SHA1 d96c8e4bb69184d1a660826ef66956ad6d111cc8
SHA256 38ebccdac57376c1c25a6fab8e6192af5d6ca563de713d8211145e37ad91b38c
SHA512 633668a083bb3c15365eedda61939761c82ad7e0b31871aa8915396dc4aca3cc32d5279e88bba651f7d96a373d96892add90c94e7db1615b013e937499343e77

memory/1856-637-0x0000000000C40000-0x0000000000C41000-memory.dmp

memory/1116-639-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5664-655-0x00000000020C0000-0x00000000020C1000-memory.dmp

memory/6824-777-0x0000000000D90000-0x0000000001284000-memory.dmp

memory/5444-781-0x0000000000680000-0x00000000006BC000-memory.dmp

memory/6824-788-0x0000000005B60000-0x0000000005BF2000-memory.dmp

memory/6824-791-0x0000000005DA0000-0x0000000005E3C000-memory.dmp

memory/2716-792-0x0000000000400000-0x0000000000785000-memory.dmp

memory/2716-794-0x0000000000400000-0x0000000000785000-memory.dmp

memory/6824-796-0x0000000005D30000-0x0000000005D3A000-memory.dmp

C:\ProgramData\SpaceRacesEX\SpaceRacesEX.exe

MD5 ec1a1024a0e0afc9a84f620562e8e466
SHA1 d6abda3e6ad1a9bdf0df41bb1b6b1ff2802d8970
SHA256 b526a29d8684ace2de8b81947cf35dbd8aa1fcdc4ef2b97c8650c5ca67d87cca
SHA512 4fed5898fb38d9733bb7c9da3339ebb554d21c065b6c88d4c51951bd05a5025fbe164fada7c949884a23a93c1ff1fca9442da141a118d35f3f3fb24f54570ef6

memory/2716-798-0x0000000000400000-0x0000000000785000-memory.dmp

memory/6824-776-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/6824-808-0x0000000005EE0000-0x0000000005EF0000-memory.dmp

memory/5444-811-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/2860-813-0x0000000000C50000-0x0000000000C8C000-memory.dmp

memory/564-814-0x0000000000400000-0x0000000000785000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ab5896fac1234d0ea4b3a5aeadc1bc81
SHA1 a5dcb756d8e9cf0a4f316512386815ced850034d
SHA256 a99e5280b0d47c035724182c33484ea4d2cb184d910fc8efd29064af6c482489
SHA512 c0a9f08a8bfb231015ca816347e41c8bd3d4c1e6f8a78fb36de287332ba9a4a04140870139a072d48b80afc7a1b5815ed4fb4d05047ad44d777c9ebc1858089d

memory/5444-816-0x0000000007280000-0x0000000007290000-memory.dmp

memory/2860-817-0x0000000074D00000-0x00000000754B0000-memory.dmp