Malware Analysis Report

2025-01-02 03:51

Sample ID 231212-khj5kabch4
Target 4224a95928d9161db16a1ac8e962cc19.exe
SHA256 78a2c197dcb65883cebc38339dd08b21f6dffb020d7cbb33a734ed969b1a5fb3
Tags
privateloader risepro smokeloader backdoor evasion loader persistence stealer trojan redline @oleh_ps paypal infostealer phishing
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

78a2c197dcb65883cebc38339dd08b21f6dffb020d7cbb33a734ed969b1a5fb3

Threat Level: Known bad

The file 4224a95928d9161db16a1ac8e962cc19.exe was found to be: Known bad.

Malicious Activity Summary

privateloader risepro smokeloader backdoor evasion loader persistence stealer trojan redline @oleh_ps paypal infostealer phishing

RisePro

RedLine payload

SmokeLoader

PrivateLoader

Modifies Windows Defender Real-time Protection settings

RedLine

Downloads MZ/PE file

Drops startup file

Windows security modification

Executes dropped EXE

Loads dropped DLL

.NET Reactor proctector

Adds Run key to start application

Drops file in System32 directory

Detected potential entity reuse from brand paypal.

AutoIT Executable

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Runs net.exe

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-12 08:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-12 08:36

Reported

2023-12-12 08:38

Platform

win7-20231130-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4224a95928d9161db16a1ac8e962cc19.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe N/A

PrivateLoader

loader privateloader

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ZT4XU63.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4224a95928d9161db16a1ac8e962cc19.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ZT4XU63.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ZT4XU63.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ZT4XU63.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ZT4XU63.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ZT4XU63.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4su368xu.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4su368xu.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4su368xu.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7CD76F31-98C9-11EE-BF5A-D27DC150AB5B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7CDE6C41-98C9-11EE-BF5A-D27DC150AB5B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7CE32F01-98C9-11EE-BF5A-D27DC150AB5B} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4su368xu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4su368xu.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4su368xu.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1428 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\4224a95928d9161db16a1ac8e962cc19.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe
PID 1428 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\4224a95928d9161db16a1ac8e962cc19.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe
PID 1428 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\4224a95928d9161db16a1ac8e962cc19.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe
PID 1428 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\4224a95928d9161db16a1ac8e962cc19.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe
PID 1428 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\4224a95928d9161db16a1ac8e962cc19.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe
PID 1428 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\4224a95928d9161db16a1ac8e962cc19.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe
PID 1428 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\4224a95928d9161db16a1ac8e962cc19.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe
PID 1808 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe
PID 1808 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe
PID 1808 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe
PID 1808 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe
PID 1808 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe
PID 1808 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe
PID 1808 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe
PID 2984 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe
PID 2984 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe
PID 2984 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe
PID 2984 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe
PID 2984 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe
PID 2984 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe
PID 2984 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe
PID 3068 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3068 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files\Internet Explorer\iexplore.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4224a95928d9161db16a1ac8e962cc19.exe

"C:\Users\Admin\AppData\Local\Temp\4224a95928d9161db16a1ac8e962cc19.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://twitter.com/i/flow/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.epicgames.com/id/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://steamcommunity.com/openid/loginform

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://store.steampowered.com/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.paypal.com/signin

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2540 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2592 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2488 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2420 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2148 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2548 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2656 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2612 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2432 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4su368xu.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4su368xu.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ZT4XU63.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ZT4XU63.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

Network

Country Destination Domain Proto
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.epicgames.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 store.steampowered.com udp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 store.steampowered.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 www.epicgames.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 store.steampowered.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.epicgames.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 www.paypal.com udp
US 193.233.132.51:50500 tcp
RU 81.19.131.34:80 tcp
US 193.233.132.51:50500 tcp
RU 81.19.131.34:80 tcp
US 193.233.132.51:50500 tcp
US 193.233.132.51:50500 tcp
US 193.233.132.51:50500 tcp
US 193.233.132.51:50500 tcp
US 193.233.132.51:50500 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe

MD5 926ac8da1dbca4e291dddba0786293d4
SHA1 4c303a457f54ca87d0ff9431f1fbbbb6e73aa6e8
SHA256 e90b83cfdc6e845e22893ed218c0804fff357dcd89f1212b488e3f4925c99885
SHA512 ab09b01a13ddd61898849cd89464d3c0491f10a5b5b535a1332470d1c1b53e4ea15aa4603b9225d7102846b4e33c7a843cfbaba0e4d96dd3e3cb073bdfd609a7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe

MD5 95d19b149878529bc8f5e921fe2738ca
SHA1 88ed13501f8bcbb458e6a7e7f23cfbcb5235c1f4
SHA256 f6d7da94a1a7fb3a893d2bc00daa099a91c37ac782cb897644d5d4424dccd4ad
SHA512 41959f40565db49648852af70d1efa5fc93ca230f49536bfd7559366f0d9a3ce4b04af6490bbd8c32e147bbf0fbd9a02c44e97873bf9833a06d807d787bb7513

\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe

MD5 364430558e0b317ac0d046038afe19c4
SHA1 d4cefa071dc8403a707368f3f1ec5ca0086dcbfc
SHA256 a84673ffb0df6a613b95c799fa2a2c2430a1f585b7d244c20512963917732b27
SHA512 a6170a3ae194ca68390ab41988f9988e53d1386394354b5e1eb818c65cde6d9c1abde954f2c3ef2cdb75ea9e2032ce99521761b5b87c9fa62478d14d2b2317c4

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe

MD5 003e39cf016e1b8a49b837826ec6fd22
SHA1 84181b808d56554cb9605b3735e8d18463608811
SHA256 87b06acc3312b2f016b43b262f8195c6bb0ef7253272f4927b0ca5d4bfbf7419
SHA512 710c6f9909fb1684415f99d8271f6c535ae0418b86d361d6b1fbbd43e9eea9b1f124ed776e5883c49dac28dc436822cb6bc946167fd260ff404db75cb3083e2b

\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe

MD5 8fa61165c42845747a98e81efc2e5adc
SHA1 efa46e19b546bdec87e1bd3a8274b6336df6129e
SHA256 9b8c6d4576be677c98beef2aa465c260e911e599e74670d0bc1629d3a41d39a6
SHA512 002ee79fc95d97fe7eba45d28b622ef6aa29ae5ff53733d225c04542548605dae8861e652a8cea8b022c89bec4251cbece977fd591619163b2a1d67ad683cfad

\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe

MD5 d0b8aadbfb9145ce3c03d2aa4fff5bdc
SHA1 27b0e90d6662af2410af2ee7c78cb9b3051a27e5
SHA256 3090962f29ab05b44962f9ce489d1663a3ab455a9dd25cb3427a88f18fa1280e
SHA512 19c1df209c51bbf27c0bf7d8e93f9747a38b37af8890fc5cd23fb682900512c5bf20ba5c8493a4f8f2f84129a24c61a22d6e2f2cf53b94f66e1b3c80a12c2861

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe

MD5 e6e5205ba695509c83c32fad7f62b41d
SHA1 e62ef940426786fa83d8a24e7abdb7e962ce8038
SHA256 0d8f8cc5da70751c0a54b76cd9a0a1d826674a3e8281c01a0f2e0237733bd949
SHA512 0e2070b28eeaf2154d0cb9bc9156218887ac3b98017b4506612472cbcd4eb95ed64cd36c162f236093dacb4afe372c2aa499d0295d10ab438e35b58a08ff8885

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe

MD5 1edd190f33a14c5f947072bf386aa394
SHA1 c4d9471bf50abbc6ab2b238ce50694db4bcf9ee7
SHA256 baa41367ca46d6e472214bdfdd56352d84d38c341c0c727e771ce5658891511c
SHA512 98153e688ffffa972ba603f731c04ba8c0680688231b5ceaf146798e7711007f9427ed6b5a175bea93d25f1713d97731e16db3636801c33a1e18c42983f276f8

\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe

MD5 0e1e7fc9bbc88ead6447f4060f4e1603
SHA1 bb47362c357a4f248b1ac13bb1fb38e42d4aba70
SHA256 59722fd3ce2fd50ab6a3cdb4feaa1494f60401a639f42df4cc5434cd19eba7a1
SHA512 cfbba0070a909a297c8d5805fbf7c64d92e2091f72eb33ebb1cba92be37e1b15c3a04e85ae7b3d302641a8c092d2c265138ea30a00e2e95e5b97b116d49d7b14

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe

MD5 af810a7a91f254a0894f8d8beee6ea22
SHA1 332037322b9d262d2afb52e2f3109980f5cfb0b1
SHA256 0eb78530d75a30b02e425118c1ea99c665882d7f54d85834b1561c7739b7465b
SHA512 f2650cded649f2e52dc1f33d8b21f3b7a4c5eb36eb83566d7a45de4250cce1bdda2e746f0b2d3ac48d1aeccb91914d0f56b0d0f2fc12eaf7ed6ece0179ad143f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe

MD5 cec5cc363c36329696c04fa2c34f4a29
SHA1 b9fe46cf52bf83372ab47ad5fdb2c81b407adf42
SHA256 9d7a829f3c3d533989af032d099548e8646d550b9d84c57405b52c9007d7c0a2
SHA512 96b218a82270c8084d2b3cae644378f9275025a4af317a307dcd9aee281ff887b48aadcdddcf85c93524a300d385588e3f1e9c3158760bf257010b16ea63ea95

\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe

MD5 848274b851b0cbb2b1cd9c5a5eecc5d0
SHA1 9fc6af68b762a6f6cd729f1b4363548d457066c7
SHA256 3be405d75173e7b01e4b7c91e2fdc6051f7401109e8a3455dde1a04c8360e873
SHA512 961fe65fd22a225429dab8e1206918dd2d535815720aa2ff4e90270aa058e206c0c3c432f07f787fe0b34a6e5e387fce0e83ad16ab7b8a7fb8aa67bfd8e7b2d2

\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe

MD5 e2e2c57c90cb9f1f99da286756a0c7cb
SHA1 923c1cb68b19eab296e4f30c8d85c05cfea25b88
SHA256 b9a471a4a0df02ad0831f265adbbfc123a72d27fd16971e8c2c81cc6d850b171
SHA512 2d1a58a46d940e76e9b0752a46ea34262caadf4c50dc5c2afb48c1550215ccc9d00ec01a07bd9c92f3b3a8fb8c99c41e3da83829168318e8249d1e017d4548f4

memory/2156-37-0x0000000000B40000-0x0000000000B5A000-memory.dmp

memory/2156-36-0x0000000000A90000-0x0000000000AAC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7CD9A981-98C9-11EE-BF5A-D27DC150AB5B}.dat

MD5 9595e1d473efbc548e6903b34c7ad65b
SHA1 df3a47927c09fcb23a6ff08ed924d6f0f67bfd7f
SHA256 b507dc7eabd66c5196d031065df7cbf1d2321136e2e7ba2bacbca9a5faccf9e0
SHA512 98a962b432fa72c51aa0756e4817a0c68d8c0d49dabded3bd6f0becb8ab71a0422c88923fb97bc8e0048e0e61ea6a208592f329cb8dcd1b8b0e96db44da06686

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7CEA5321-98C9-11EE-BF5A-D27DC150AB5B}.dat

MD5 8d23706a888ceff9864f05805c1cb75c
SHA1 a219f2e011f9d45636d81aec4db1da145599683e
SHA256 7beca05b6c1193222bd525108c7794bf93fbcf8566e1d888716dbc90c07f7540
SHA512 c1cf67767a751198ec63ca46cf77bf1754e27cf359e272433245d899947a404a648c7cc48b5e76b1fd43cec67b4c3936e5ab01bfb8a5a1e086e229299454e062

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7CDE6C41-98C9-11EE-BF5A-D27DC150AB5B}.dat

MD5 5dc43e503cee2c2d33ea6a7204db64ad
SHA1 e9762a81c0a0ab1d788e16985dd7f0fb792f5291
SHA256 6d67932d0f3dc48fe2d76aff19f777aea5f6ab63d349154ecf9fe159b22aa403
SHA512 e267ee49697806d8e19157ff87abff027ee6cb4c4e594e811da595bc57f2dd044c65d25ecf090c8bb4b3cc18e8a6a4d537f2836e7152fa884bdef2b10b874f1f

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7CD74821-98C9-11EE-BF5A-D27DC150AB5B}.dat

MD5 5216434d23c339200f09cfe81857f7b7
SHA1 18fdce23751e71460d99b3a14717e24406685669
SHA256 1edd2fb56fbd570bd961901eeb9f0c0c502aeab619cd52ea3d6c5a2e03a55707
SHA512 55ec797f41806056dd3604313d04eeacab5fa0211a9c4121154347b0cbcd63640899a67928c1418fa144a14d6f457b7be806164c4ef673857df49af7546033da

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7CDE9351-98C9-11EE-BF5A-D27DC150AB5B}.dat

MD5 8da4f50f3ea27691f3cae635febf4779
SHA1 8337c1d7c3810c435190f189709e5b4ac70ab1f7
SHA256 53ba8e797a1c434745a907106f9dfb7966799b698b215f34d119419e5e21e665
SHA512 608ef77ea203b0c456032ca2556e6c65527d00cc32829658780db17b7f911d71ff2ab96f4476bb9fbb549f59453f3302283d1f06ff72bd301d96061e318a7753

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7CD76F31-98C9-11EE-BF5A-D27DC150AB5B}.dat

MD5 5e2ed0d0b444731f04c741ce76fe961c
SHA1 ffb13fd00ff9bc27dea5973766b2e307d89474ff
SHA256 4d4525f197a0fc2b1e0dee66c9a2444b3bfb0621d43f594280aa195f06de0553
SHA512 798752b9bd1cc8d7dab3b49b072cf35beeac03698984f4355d2f82ee2b400f057e1240501705a5878251a777e10839fb15302d6715150b999d5137d75fd7319f

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7CE35611-98C9-11EE-BF5A-D27DC150AB5B}.dat

MD5 209f68af65d6575b9405b41dcf6fdd4a
SHA1 c1abeac2c3fd0d706106381391c56c087e6ddd7d
SHA256 ea51618821fd1ebe9def249b338396c299d773be3a528746259337df5ce0ea40
SHA512 a90201d52a67f8ebe48579674defa983b385f5a18c6c3fce15bafda7e43391a7a1cdd91430da06e2d1e6b5e3739da7f63ea1e63846bc90b53bf078b884e95a3c

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7CDC0AE1-98C9-11EE-BF5A-D27DC150AB5B}.dat

MD5 b7a65cf1ec0ce4ee122db24fea51c934
SHA1 dbcbd6a9607e32ec52f84819740099865c4a98e7
SHA256 32899e1a9b3b24a7c4480164f53b3c00c4464446c87ebe6057313a7a3d64a788
SHA512 c436b8e352df9449c82691b2ffbee559020b7a14361def3b54310eb9bcaabb1da2ee1c800b73d87ee13fd836f378f46cac9f2891f8f1dfe269157a7b61531665

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7CEA5321-98C9-11EE-BF5A-D27DC150AB5B}.dat

MD5 34ac3cc27104dc64f257eec685322081
SHA1 ccb08f86040b918bdafee40fd7a8c5b1291893f1
SHA256 3cad638c34afe1a6cc4f80da621806cffa09316dd0b0a7e94b53b64a153ff551
SHA512 9d9f4cc4d08671064f5cb325cf01c91e9c7b47cbeec50d8897146bf562c9097866195f8b6e351f8c0bb402f92854b5f9f56bb8a4a38f373edaabdd288eaa412d

\Users\Admin\AppData\Local\Temp\IXP001.TMP\4su368xu.exe

MD5 cf07c7308914325c86f64625c2411c76
SHA1 a06914e97ec6ca6baa6656a46e0f0228b7c20afa
SHA256 5efa3e3fea37dedfe72bc279d46ef26675f978dbb83407c1320ac23f0dc6241a
SHA512 f327d9f2cfb8e4b394ef4b60919a8b4c2f475a9888f2967ce588032826016b40845489be281df5522fd61df3e04bc5922105b04099dd56d7889686c76a2eb098

memory/1808-57-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3284-58-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1808-53-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3284-60-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1348-59-0x0000000003CE0000-0x0000000003CF6000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ZT4XU63.exe

MD5 7284324f61faabe6df7c858e73b881b7
SHA1 97780181d53f87b5d4ae68ed24a84e000f16a24f
SHA256 3e4177cb33263b2aad1a5a691bf1bf9824d2d2cdad2bd88aa0c48e378fc1d11f
SHA512 6bc92a7fe21d7e7456c01e14ebaaa652afa22f9834ff72208f26ecf8a61fa2b7d021dfb69a537fd4da8e9c8abe4bb87ac6972e6e7b0f6eeb3c2d7b0508c873f1

\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ZT4XU63.exe

MD5 7d65ff93ad68053af662b8a7ae8935cc
SHA1 a8576b7b079a27a030015ef6869cf22b6f10dbae
SHA256 c68f3fa28dea6e7f5ca8fc1a7e5d6f24f1d49d004111fd8afc32a364387c1364
SHA512 f71bc35b7de6d454209727fe9bb7a1d052becb24d5fbdf84bfce18b81bc2f6f673ec3bdef286f07a3efa80f01e01645cec3f240f2c16bfe018f032844e07a0c6

memory/3392-72-0x0000000000EB0000-0x0000000000F7B000-memory.dmp

memory/3392-73-0x0000000000EB0000-0x0000000000F7B000-memory.dmp

memory/3392-74-0x0000000002930000-0x0000000002AC5000-memory.dmp

memory/3392-75-0x0000000000400000-0x0000000000919000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk

MD5 9cab2994b04bc8e3d2b479f369f84ba4
SHA1 68631156a3319e031333c86115accc94c904c42e
SHA256 1a6ab0146b336b8ddd238a86d21facc4dd57ee99abf2dadb2de315c4d155fd58
SHA512 cb72ac94f8a345c9b543540d5b44a6393d5c9c7b4c132112abde28e246c2bd9d9453b51918629d4519c9aa86269cc4a825b0250339628b842b384073feed0d67

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\58A484P9\dnserror[1]

MD5 73c70b34b5f8f158d38a94b9d7766515
SHA1 e9eaa065bd6585a1b176e13615fd7e6ef96230a9
SHA256 3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4
SHA512 927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QCKEF6LM\NewErrorPageTemplate[1]

MD5 cdf81e591d9cbfb47a7f97a2bcdb70b9
SHA1 8f12010dfaacdecad77b70a3e781c707cf328496
SHA256 204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd
SHA512 977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\58A484P9\errorPageStrings[1]

MD5 e3e4a98353f119b80b323302f26b78fa
SHA1 20ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA256 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512 d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q3WFVYR2\httpErrorPagesScripts[1]

MD5 3f57b781cb3ef114dd0b665151571b7b
SHA1 ce6a63f996df3a1cccb81720e21204b825e0238c
SHA256 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA512 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

memory/3392-119-0x0000000000400000-0x0000000000919000-memory.dmp

memory/3392-132-0x0000000002930000-0x0000000002AC5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-12 08:36

Reported

2023-12-12 08:38

Platform

win10v2004-20231127-en

Max time kernel

31s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4224a95928d9161db16a1ac8e962cc19.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe N/A

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4224a95928d9161db16a1ac8e962cc19.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Detected potential entity reuse from brand paypal.

phishing paypal

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5092 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\4224a95928d9161db16a1ac8e962cc19.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe
PID 5092 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\4224a95928d9161db16a1ac8e962cc19.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe
PID 5092 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\4224a95928d9161db16a1ac8e962cc19.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe
PID 640 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe
PID 640 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe
PID 640 wrote to memory of 4144 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe
PID 4144 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe
PID 4144 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe
PID 4144 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe
PID 1164 wrote to memory of 260 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1164 wrote to memory of 260 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1164 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1164 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1164 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1164 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1164 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1164 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1164 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1164 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1164 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1164 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1164 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1164 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1164 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1164 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1164 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1164 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 424 wrote to memory of 5032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 424 wrote to memory of 5032 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 260 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 260 wrote to memory of 4552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3488 wrote to memory of 2960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3488 wrote to memory of 2960 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4956 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4956 wrote to memory of 4016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3136 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3136 wrote to memory of 3016 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2404 wrote to memory of 1096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1368 wrote to memory of 4668 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1368 wrote to memory of 4668 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3820 wrote to memory of 4548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3820 wrote to memory of 4548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 472 wrote to memory of 3656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 472 wrote to memory of 3656 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1164 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1164 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2012 wrote to memory of 1256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2012 wrote to memory of 1256 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4144 wrote to memory of 5260 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe
PID 4144 wrote to memory of 5260 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe
PID 4144 wrote to memory of 5260 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe
PID 3488 wrote to memory of 5272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3488 wrote to memory of 5272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3488 wrote to memory of 5272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3488 wrote to memory of 5272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3488 wrote to memory of 5272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3488 wrote to memory of 5272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3488 wrote to memory of 5272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3488 wrote to memory of 5272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3488 wrote to memory of 5272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3488 wrote to memory of 5272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3488 wrote to memory of 5272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3488 wrote to memory of 5272 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4224a95928d9161db16a1ac8e962cc19.exe

"C:\Users\Admin\AppData\Local\Temp\4224a95928d9161db16a1ac8e962cc19.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe079746f8,0x7ffe07974708,0x7ffe07974718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe079746f8,0x7ffe07974708,0x7ffe07974718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffe079746f8,0x7ffe07974708,0x7ffe07974718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe079746f8,0x7ffe07974708,0x7ffe07974718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe079746f8,0x7ffe07974708,0x7ffe07974718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe079746f8,0x7ffe07974708,0x7ffe07974718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe079746f8,0x7ffe07974708,0x7ffe07974718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe079746f8,0x7ffe07974708,0x7ffe07974718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe079746f8,0x7ffe07974708,0x7ffe07974718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe079746f8,0x7ffe07974708,0x7ffe07974718

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,15700618732999281648,8849714292379122342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,11743381930618720387,10488798242232109620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,14039042327584197474,4014683843161892875,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,11743381930618720387,10488798242232109620,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,10639202077873554371,10099516084876874217,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,8111816433291045021,7103328906360231167,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,15293954855552875799,17207888902582791255,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,4304714345733540530,193090130468500674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,9813241207518751847,3666483044513432041,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,15293954855552875799,17207888902582791255,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,13012253398856202962,13884397092860204300,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,4304714345733540530,193090130468500674,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,15700618732999281648,8849714292379122342,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,14039042327584197474,4014683843161892875,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,8111816433291045021,7103328906360231167,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,10639202077873554371,10099516084876874217,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,9813241207518751847,3666483044513432041,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,13012253398856202962,13884397092860204300,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6728 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7404 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7448 /prefetch:1

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv ekjEeOYNcUuPzCbep7QeOQ.0.2

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7260 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7260 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4su368xu.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4su368xu.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3812 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ZT4XU63.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7ZT4XU63.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5692 -ip 5692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5692 -s 624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,11883633411140233795,10669840195089011629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7704 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\B2.exe

C:\Users\Admin\AppData\Local\Temp\B2.exe

C:\Users\Admin\AppData\Local\Temp\9FD1.exe

C:\Users\Admin\AppData\Local\Temp\9FD1.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-B53PG.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-B53PG.tmp\tuc3.tmp" /SL5="$2028E,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\CEB2.exe

C:\Users\Admin\AppData\Local\Temp\CEB2.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Query

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -i

C:\Users\Admin\AppData\Local\Temp\D8B6.exe

C:\Users\Admin\AppData\Local\Temp\D8B6.exe

C:\Program Files (x86)\xrecode3\xrecode3.exe

"C:\Program Files (x86)\xrecode3\xrecode3.exe" -s

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 1

C:\Users\Admin\AppData\Local\Temp\E1CF.exe

C:\Users\Admin\AppData\Local\Temp\E1CF.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.youtube.com udp
BE 64.233.167.84:443 accounts.google.com tcp
BE 64.233.167.84:443 accounts.google.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 84.167.233.64.in-addr.arpa udp
US 8.8.8.8:53 www.epicgames.com udp
US 8.8.8.8:53 store.steampowered.com udp
US 151.101.1.21:443 www.paypal.com tcp
US 151.101.1.21:443 www.paypal.com tcp
US 3.232.47.168:443 www.epicgames.com tcp
US 3.232.47.168:443 www.epicgames.com tcp
US 2.17.5.46:443 store.steampowered.com tcp
US 2.17.5.46:443 store.steampowered.com tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 steamcommunity.com udp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
US 8.8.8.8:53 twitter.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
GB 104.103.202.103:443 steamcommunity.com tcp
US 104.244.42.1:443 twitter.com tcp
US 104.244.42.1:443 twitter.com tcp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 168.47.232.3.in-addr.arpa udp
US 8.8.8.8:53 46.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 103.202.103.104.in-addr.arpa udp
BE 64.233.167.84:443 accounts.google.com udp
US 8.8.8.8:53 46.10.230.54.in-addr.arpa udp
US 8.8.8.8:53 1.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
FR 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 68.204.58.216.in-addr.arpa udp
GB 142.250.187.238:443 www.youtube.com udp
US 8.8.8.8:53 i.ytimg.com udp
GB 142.250.178.22:443 i.ytimg.com tcp
US 8.8.8.8:53 www.paypalobjects.com udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 tracking.epicgames.com udp
US 52.203.233.59:443 tracking.epicgames.com tcp
US 8.8.8.8:53 22.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 abs.twimg.com udp
US 8.8.8.8:53 api.twitter.com udp
US 8.8.8.8:53 api.x.com udp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 video.twimg.com udp
US 104.18.37.14:443 api.x.com tcp
US 8.8.8.8:53 t.co udp
US 104.244.42.2:443 api.twitter.com tcp
US 8.8.8.8:53 pbs.twimg.com udp
US 152.199.21.141:443 abs.twimg.com tcp
GB 199.232.56.158:443 video.twimg.com tcp
US 104.244.42.69:443 t.co tcp
US 192.229.233.50:443 pbs.twimg.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 8.8.8.8:53 59.233.203.52.in-addr.arpa udp
US 8.8.8.8:53 200.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 141.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 14.37.18.104.in-addr.arpa udp
US 8.8.8.8:53 2.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 69.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 158.56.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 50.233.229.192.in-addr.arpa udp
GB 13.224.81.88:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 88.81.224.13.in-addr.arpa udp
US 8.8.8.8:53 42.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 220.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 static.ads-twitter.com udp
US 199.232.168.157:443 static.ads-twitter.com tcp
US 8.8.8.8:53 23.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 157.168.232.199.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
IE 163.70.147.35:443 facebook.com tcp
US 8.8.8.8:53 35.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.147.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 www.recaptcha.net udp
GB 142.250.200.3:443 www.recaptcha.net tcp
US 8.8.8.8:53 c.paypal.com udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
GB 142.250.200.3:443 www.recaptcha.net udp
US 192.55.233.1:443 tcp
US 192.55.233.1:443 tcp
FR 216.58.204.68:443 www.google.com udp
US 8.8.8.8:53 t.paypal.com udp
US 151.101.1.35:443 t.paypal.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
GB 104.77.160.200:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 35.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 sentry.io udp
US 35.186.247.156:443 sentry.io tcp
US 8.8.8.8:53 156.247.186.35.in-addr.arpa udp
US 8.8.8.8:53 login.steampowered.com udp
GB 104.103.202.103:443 login.steampowered.com tcp
US 8.8.8.8:53 b.stats.paypal.com udp
US 64.4.245.84:443 b.stats.paypal.com tcp
US 8.8.8.8:53 dub.stats.paypal.com udp
US 64.4.245.84:443 dub.stats.paypal.com tcp
US 8.8.8.8:53 84.245.4.64.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 api.steampowered.com udp
US 8.8.8.8:53 api.twitter.com udp
US 104.244.42.130:443 api.twitter.com tcp
GB 104.103.202.103:443 api.steampowered.com tcp
US 104.244.42.130:443 api.twitter.com tcp
US 8.8.8.8:53 130.42.244.104.in-addr.arpa udp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 c6.paypal.com udp
US 151.101.1.35:443 c6.paypal.com tcp
FR 185.221.198.96:80 185.221.198.96 tcp
US 8.8.8.8:53 96.198.221.185.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\gt5OD74.exe

MD5 926ac8da1dbca4e291dddba0786293d4
SHA1 4c303a457f54ca87d0ff9431f1fbbbb6e73aa6e8
SHA256 e90b83cfdc6e845e22893ed218c0804fff357dcd89f1212b488e3f4925c99885
SHA512 ab09b01a13ddd61898849cd89464d3c0491f10a5b5b535a1332470d1c1b53e4ea15aa4603b9225d7102846b4e33c7a843cfbaba0e4d96dd3e3cb073bdfd609a7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\gE8bL67.exe

MD5 b3532cf677a8ca4e9431179cec9ae5c5
SHA1 1877efbf018f4cc0cdaa64fd60572149572a2b23
SHA256 3a521694c5fed5a14f991b108d1b53a9137fc1e592e7a5630bfc9f7a06db3f4f
SHA512 4833f83004bc4d759bdf64a1022e535a09da61767bf5a3225f7f754a8f058efd0713b47933a0664ede6a3b9fa27b05f3c7f9fb6f99f15995d490400fdeb74927

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1rj53sF0.exe

MD5 44bd4ee1fe1417a751e520623210f59f
SHA1 be95a12db5450a83da5d50b3e438f3593dad81e6
SHA256 371ad66bfdf5131de720e466af5b4bfb1139397ee70169305a1cf801622aaed4
SHA512 a7c34447b38e753a5a809638430eecf310a6385ee5b6fb7cd9b80588c490b9df6189275aeb33ece6cb8f927e874e93306dbb2b4ebfc976a7a281c9547c781ec8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5990c020b2d5158c9e2f12f42d296465
SHA1 dcb52612d301824d3a7fdfd0ea20c3fcfbb7a1b4
SHA256 2f33956ce5a0bb01abb3c0fee9a321c8f8f7abcf1d7535800bf25f1dc44b1643
SHA512 9efb70c4922365967c5fa7e89967e21eede96979a149e027099da786cd8b198d4e81bb3bf2b39c8d65a8796c5d72ca79241e66fc69e2502fdec8a0c5f230412c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 208a234643c411e1b919e904ee20115e
SHA1 400b6e6860953f981bfe4716c345b797ed5b2b5b
SHA256 af80020ae43388bbd3db31c75aade369d489a30a933574dea19163e094d5f458
SHA512 2779b96325234c836cbb91820ee332ed56c15b534ec0c7770b322a5c03849ec3ee67b0ec7978e1fab563eeed1cea96f5155d7b942702555d9352ff6711a548d2

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2ZH5394.exe

MD5 e2e2c57c90cb9f1f99da286756a0c7cb
SHA1 923c1cb68b19eab296e4f30c8d85c05cfea25b88
SHA256 b9a471a4a0df02ad0831f265adbbfc123a72d27fd16971e8c2c81cc6d850b171
SHA512 2d1a58a46d940e76e9b0752a46ea34262caadf4c50dc5c2afb48c1550215ccc9d00ec01a07bd9c92f3b3a8fb8c99c41e3da83829168318e8249d1e017d4548f4

\??\pipe\LOCAL\crashpad_260_LMAQEFGWISRTFIOW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ff64937147b31861e0e0bd4a51abc139
SHA1 087d623ce65e970c72cec33897a2551795c19b1c
SHA256 95353d282fd2162e62a5724ace582f9b68916a40e250e86b91c2c5c32b2a4fcb
SHA512 3962ecf9b26c8df09ccdb8b95f4478b5cfb7992dfb33990e4839f37655b325389c6f41ee907fe46f768a78a91f0e34674d4baab9597cb30d9e15bfd1520f88b3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5cb2acb83ee7d997fcdd5fe2b8d36b6f
SHA1 ca16513a5db8cbb33ea2b3110e4e05afba04d067
SHA256 c57d77c3b8e987f37c934bfb759f0c2fafe2797be76c1c24bd4e77b0173649d0
SHA512 d0b5169eb03a54e047137437319e1dc0ee0af95e7a1b3da416a5d6ade1149a518b8ad1dc7f3224125a81621699cf34da80160b9239c3a776ecf3db7d380c6a13

memory/5260-174-0x0000000074200000-0x00000000749B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\f595aee7-341f-4151-b7f5-56f41afefbcb.tmp

MD5 a940005575a7ff24b41a8b3b51f715d9
SHA1 93e4930b96f0d83e0b10a56ac8acd0329f52dde7
SHA256 02dc2b8c1849e70f4433abacd74588eb1677b3fa5ae6c7638d1499e06e0e2c1f
SHA512 cbb7cf798db1ad76c1bb8fb81b2d1137a945788fe2a002d01899269931ae0dd5bbced4f36b8e92b4c0b620c765b2a8c5afe9f640c97b0b8708981293c20b7971

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\f67005ca-f7ce-45da-b64d-73c976b43885.tmp

MD5 2aec3a966d1a6824643188cd152ebbdb
SHA1 5956cc67d5d19365f984fe25fc2f77e12318c7c1
SHA256 0afc9e1df902aa7fa1d2ecfa4858fcfaa1dcdd4020e51c4c2d760f538efab83b
SHA512 66f3ed438924a8df44cf52443eba0bae76275aef994a007a242d2d078f699127df0eb40c92efb6d33b6551b88b3d47e51b2298601438c80395843b76a7cc2330

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d43ff3010732f076a3fbba9d59363aea
SHA1 4a527ccf05ba863dda2b99924920d2d6b5aa2513
SHA256 4f5b60a0da509a7f08c11a9b66a82b6239b39fd6aec13c051347042d0527f1a6
SHA512 876d9d9e42b3a4fa92b98bb4a90ba9d090ca09a0e6d2910b6356ed75f17ceba907a889e9f03730d0602bceb79a63266d2e75bec9e4d0c8a63c4f56bea0e3657c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c6327441806d94278e67bd7ab356e3c5
SHA1 b012c26a11916d640325dbd6d4b79123817ff221
SHA256 815d39448873cb0679b88c83d03f11a92849c4839d7f2950bdd36a50c7f68c44
SHA512 838daff10033e20fbadc93ed89c753afe4fa91c8330c6d088a296b5a53daddc85ac994ee1d1709afe35bccebf9ecfec9fd280909ed35d1362a11b259a75d03fa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5ef0fee9354643d7ee3bbf2c3f15b8e1
SHA1 77dd77ba1c39952d86b32a3a75246711d200f8a5
SHA256 815f0762bff3169cea21a5f0f936cc0d558285dc5683f516001c25d2be1db120
SHA512 8ad461181c1185319d027c1904cede87bf58623b301b3839478d5a27deae8853347f87652f0687c276a0de9d289734e1e3a73403fac4aa1ec985ae8d1473b66c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2eca2ab5-c57a-4833-b263-b991841e6fc4.tmp

MD5 30aa2d91908b65c51f4140948a4cae26
SHA1 6c5d2b01e7cbe692bd5af7b8d936e8731c532e56
SHA256 cf276102c29a58a268665078108bf9f1ca1de6e6118d5651ae0b8f3c5f8bbbb4
SHA512 9526914689c0d609c9bdbe4ed5a5e98b53f9c4fe5bf8ad92e76e44a34a6d2f13ab83229cdbff17d0547f39161a0b38761f7a55b008ae13b71210c69daa539c91

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\c042c64b-c2c2-45a8-8c36-13ff69d3d1d7.tmp

MD5 441789f7209423f0c994c0642a7ebef0
SHA1 6567a6e260ea8314c7333f3e879b81aa4b23be43
SHA256 9baac845b228f2c2c85572e13454f8bd0b04f0f3b79dd4dd2958fec404499dc1
SHA512 9ce464756593142a01c52b671b1c50d325e3efe25a206faf17c7e2b4bb17fc96f5c669f5d713a2b524f2f3345dd4e75dd734bf9cadc4fe1c4a674ada463ce8d1

memory/5260-365-0x0000000004AF0000-0x0000000004B00000-memory.dmp

memory/5260-366-0x0000000002460000-0x000000000247C000-memory.dmp

memory/5260-367-0x0000000004AF0000-0x0000000004B00000-memory.dmp

memory/5260-368-0x0000000004AF0000-0x0000000004B00000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 eeea0f5b139eda900b56906bc5bebf82
SHA1 c219351634ef27b2873b90862936048783ad34a8
SHA256 aa18dd96703a1d1e876030d458b5ecc381ad793d36ce3091c45a5ae1cc3cf626
SHA512 88dc98ca6d127cecacbfa79b8e5d519d59d1a618f62042faa603d7a7eda7d4c47a9f16ec7618c0d55bb286f0f1c9371dd1d06388a0e63db3af8b0c10929bda99

memory/5260-394-0x0000000004B00000-0x00000000050A4000-memory.dmp

memory/5260-400-0x0000000002540000-0x000000000255A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3329648f304f79d2844be11b7feac651
SHA1 b125e8e85c28649be3f8b9678b84771f3f4506c6
SHA256 12a4bd47f967aabf3eb0b74d7b3ed92a88cc4c350a7a31933df5b13e989e4701
SHA512 d33f523abcc8454404cddffd7135ab1bd3c9e60253bc18e8de4405367d9bb042d3cb8feb7fd63a103152efc81771c9b41bf13e03406f49989467062ccb6dea92

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a27da36c9a6c38be91dda757c89c2671
SHA1 537248cd0be35c3b1bf6a467bd9e0625b0c1e1d6
SHA256 2dc7dfa5010d94b0b0686b989d8bf53c0230566053d0f3e92b02a9a85adfe446
SHA512 d36e131d302c3781fc9938b5457c8feeff3f5503bc80f07fdd527f68aff41cff1ebd49f53523ed057e325bae603f6037377440b56cc49d96dc687f1622724a6a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 5a6206a3489650bf4a9c3ce44a428126
SHA1 3137a909ef8b098687ec536c57caa1bacc77224b
SHA256 0a9e623c6df237c02a585539bffb8249de48949c6d074fe0aaf43063731a3e28
SHA512 980da83c3142bf08433ec1770a2ec5f5560daf3ee680466f89beae8290e921c0db677489daad055fbc1f196388f8bc4f60e050600381f860b06d330062440a78

memory/5260-596-0x0000000074200000-0x00000000749B0000-memory.dmp

memory/6836-600-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\6a74c2a5-b103-43f0-9ad6-9a5cbaf93fb6.tmp

MD5 83c6dc7027b65ac81c07e35a5dd49fad
SHA1 d596bb9a905c2a1e480f02a84d4d8bcd42669056
SHA256 0c040c3584aa47aec5ce2d9adebeff5a535458782bf84008eadcc88ecad6ba4c
SHA512 d2c5932c271b2aa9233f3afa242e2b9ea264ab87620769734a9910099f025b0be78fa7a23791936250ce02dea3d410d09075f3808a70ad4ffbedabab054b6b3f

memory/3408-660-0x0000000002720000-0x0000000002736000-memory.dmp

memory/6836-662-0x0000000000400000-0x000000000040B000-memory.dmp

memory/5692-666-0x00000000025B0000-0x000000000268B000-memory.dmp

memory/5692-667-0x0000000002690000-0x0000000002825000-memory.dmp

memory/5692-668-0x0000000000400000-0x0000000000919000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

MD5 923a543cc619ea568f91b723d9fb1ef0
SHA1 6f4ade25559645c741d7327c6e16521e43d7e1f9
SHA256 bf7344209edb1be5a2886c425cf6334a102d76cbea1471fd50171e2ee92877cd
SHA512 a4153751761cd67465374828b0514d7773b8c4ed37779d1ecfd4f19be4faa171585c8ee0b4db59b556399d5d2b9809ba87e04d4715e9d090e1f488d02219d555

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0bc276513dedbdb78399ae4e20767db5
SHA1 9ca1c456c4d7269debd7c1988fd2b8acb9dde0cc
SHA256 1051f13f4a28468448a5d06fb417af339d977b8c893f997e911552086e135f43
SHA512 edf7d3fca947e878e476eb2c72a9944c0603363eef522c864797aaa6d1e73674866244fce9ca69fc96b3e1a702190fea634e20190bc77bd0c1d2fea1189399e2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c03e.TMP

MD5 b92932a80ffc79af19e6ea99c9daacf0
SHA1 6fdffde8307fb00be7249053a55830e04d8c4ff5
SHA256 2aaa797ee2ce9d3ab1e6f6b939b4a2ca095a50ffe897b19f3ce3eed79c6798f1
SHA512 9de98dcacb1bffafee26691f4d1f0e251156cb58ced1613966c0c97196ad678592900718e9bfa7dfb94ba02e7920347c1d577b6977e93c5f0c95ad2163df142e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

MD5 7d75a9eb3b38b5dd04b8a7ce4f1b87cc
SHA1 68f598c84936c9720c5ffd6685294f5c94000dff
SHA256 6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7
SHA512 cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

memory/5692-701-0x0000000002690000-0x0000000002825000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

MD5 d55250dc737ef207ba326220fff903d1
SHA1 cbdc4af13a2ca8219d5c0b13d2c091a4234347c6
SHA256 d3e913618a52fe57ab4320e62a5ace58a699d6bce8187164e198abe3279726fd
SHA512 13adff61e2cfa25dc535eba9d63209b7e7e9bd29fc4d6c868b057df7f680aa66ef5783a0e82a8367185debf7f6fe5bae89adc0770daff5317d2e16db5ad3ab39

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000031

MD5 909324d9c20060e3e73a7b5ff1f19dd8
SHA1 feea7790740db1e87419c8f5920859ea0234b76b
SHA256 dfc749d2afefe484d9aa9f8f06d461ad104a0ca9b75b46abfaaddda64a5e9278
SHA512 b64d2dce1f9a185fbb8a32adc1ff402d8045d379600bf3f9154bbde18303610f18af9fce258442db1e621ecf10b77aafe99cffedfcbe2a1490056c50cc42d0f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039

MD5 b3ba9decc3bb52ed5cca8158e05928a9
SHA1 19d045a3fbccbf788a29a4dba443d9ccf5a12fb0
SHA256 8bd1b2afcbe2fa046b0937197f1b2f393ef821ff89331f99754b9006f0114df4
SHA512 86a86d370e96fa29c0c1d12991c2287936b400830869ff7b5abe4de6f32db2df782b626d724496cd6de27f8cbd32101ba34cbcd4c650ef11afa26bc048d68529

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 cccd14828348505e364ed80e73c56733
SHA1 e49628d1f15247ede0e029f8d23d46a69047e91f
SHA256 6af5e9517b8078c9c19812742156de0a686d43923ad19e84f00f418e71f2aef6
SHA512 33af3e558d5a7717ea2f5ce5a8437ed3e8c0953ad59429448836c4e98af04cd8976b8a793cbe8aedf9735cc3d1e8e990a6b037cde6c76541d813907c80296711

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2371ef8758a70313d17174741adc4aef
SHA1 adb998d543f95a2b4ba57e94db7a2243e00da969
SHA256 1683de1df3aa2b1c6ab3d9bcd5e77bdaaab4e38f4c784c73e5a72674f93c824b
SHA512 9b5bd1b231d2f6f1cebf928530ff938e8a13f1f9aedc74484cf74a106140974f6652c32d407a728f299ad6c104a2042f026eb8d7ff0caa98edff55f7e9dea6e8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 5d3d07317a5515c4c3810c107a7c48fb
SHA1 c352e5957b45604f0a433fd71f838422ca92d313
SHA256 5b2c6056e98ad2d96ae8b4fe3285cd0175d77bc235ae9a854b7f636a5c321921
SHA512 2a00f4772e55dd232e77a792ebce2df9d078b85181bbc5f4ffe3b2343f50d2475f8dae28c2496e902a5e8645dd26501054960e6c90aca25af30c214a499bc441

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 8b638872f714db07768ddbc06e46afd1
SHA1 904dba19ee65f9902fea18a4e6934a6d2857927f
SHA256 eeb85819edacf1e9d9adcb2f85f44feac01abb32cf44e3a85f08c550a82a281f
SHA512 190b2cdc98d1f0f94a84a5a52f5cbefa40419a4ddd3aa84b535e5541753f4572be548e74b46002a77902b7a4dc26b6f63eb63d21a1d258e26cde01af100a13a2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 961bebe211d9cee80afe7131128a5c8c
SHA1 26acee3e505f34b28b905a1bf05ae1edd5b9d48a
SHA256 bd98e7f59f1e2490a672337b1a612ec8300e6fedc06f457658ead21009f0d0cd
SHA512 bbdfb8e38c5a30c6873d39ebff127ba9ee9d5cf496d39e9db60b4827c3106b36a4d3ef56464d759c377ed61a52bb9345bd38aef6f98440213bb044d020f403ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 baa0f4b7c9e69de04ec712c956aacf8d
SHA1 a7380a657c0e818bbccfd71d634ac798ebe31116
SHA256 f280876e9a5325731da26ab8d199f4c40b9a5ab40586763189bf3280dad90eea
SHA512 1f63676a1ca47d63544d4b23767d1ada5321c7d7466ac5d8d93f0b8a0f259ffc427e1dca09aa2a46b60e7d7fbf4eee28f9d6e7fb49ddb2dee7671e462b72de37

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a9e0278e3c5d331bb32ec7b3a94f299f
SHA1 6269234691537e4031f98d8c69f9362a46305096
SHA256 fc9179e6cd97d45732559b81eb1d07d694dc9f2d72cea8f1435fa99a61b87681
SHA512 8c97a748316957f36b68e76b877d97f4254d47473f3e31f416f178cd40c86e1a4aab04fa2bcbf447f0bed58d81916d46d599c9bcf53a0070eba021d8ef12aa82

memory/7048-998-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/7048-999-0x0000000000470000-0x0000000001926000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 7e23085391ec6f769f81d55520496c46
SHA1 cb2545c01d9bf54f30ee9636dded12387ee6bbe4
SHA256 3f50e08ded7a0974dafffd81ce0352fe15c372c864f4737d686af4c4e87ad964
SHA512 31b183f5bd6e13acfb9926ce788fdbab30a7d488aef9b5a16053d43daf1c68dbd8e213f07ad5352214f230a9e36186221fae4ccd2039f5000e65c4c5941eeded

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 5dd44d0509871eec95c758d40f525d79
SHA1 73d493c6884b96f179180e5850d6334a7814c930
SHA256 fbfbdfa46ed671e652c67a4fddcf548ecadd8c9be6ef3e2c33e3163f2c147282
SHA512 ca51000cc3e2e9c2b9a38a258b1288abe6428947a2c9ffeb05d226199a24d1df6c5eb6795fcd735bcf0a98ce9d0e18bd8adcd1977aa8580cf591b6de20e2e27a

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d81bf3932ef63c6c2cf0bf72b451db44
SHA1 9ef97783720d002fddd2f9ceed60072c7c2e6ca8
SHA256 a6b23f638c99c75baddd47066eba60ac63e4ad468c4dad9f26a0d0fbc72f7cf8
SHA512 d6e2f3820cda5a11a7b3fb15af277f76047e9db2ce84c41f793ca913e4a3f2b0622899d101abf43156164b091c43f9ec4ef207acf8682cb807564d7c10f7dbae

memory/5752-1023-0x0000000000B10000-0x0000000000B11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 1ac6f91f68a718573bc6e310e5267f9c
SHA1 a30f1f046da88ec78fcab903e37f0b8520625d5d
SHA256 4dfa49ef5ea03ebc0e710e29dd0a95653d606a3fce17d08c4ac6b1d9919dae8a
SHA512 023438ea1a126fa0b87f95a5f9a23a7ab298a68747c2bda95657a1f7a48e68a236a9077c058676b4dc974ad567dccf56640740233343109a4a585aef3bb11381

memory/5800-1034-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 a1c4a4980ebfdc7e721ffaed87900dc5
SHA1 16a46aafc07c511af8b6da8973d2b78292de4378
SHA256 d5f1484ac14dfce241ffee57cc478f1fba084ebe7d43dbdb83371482551a58b9
SHA512 913d6122f1181419a68d5a2a35e7f4bb5a897ee41686ebe70b039e5b83e45ba239ccc1bffa3896edbb1757daca520f57a19a1ab7ff148dee605cdb0bfbe842fd

memory/7048-1058-0x0000000074A60000-0x0000000075210000-memory.dmp

memory/7172-1057-0x0000000000540000-0x0000000000541000-memory.dmp

memory/5232-1183-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/5232-1173-0x0000000000210000-0x0000000000704000-memory.dmp

memory/5232-1187-0x0000000005070000-0x0000000005102000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a30fa1e961f152db953bf93336b2a1f1
SHA1 457b4bdb3000dab2178254e9e3db5c72088dec47
SHA256 d64ff85bcf01beb2461ef15e0c861e3d1fb6165f9ee63624d3b74a13ea245c53
SHA512 677e24aafb1cfb286a4ab70c31ef03c2eb1d4e4d43639d9515ce731a0e9ff828477d217131bcbf02ead4a22d97714a18536f06b501aedbfccd479f4cf39cd2fb

memory/2060-1201-0x0000000000400000-0x0000000000785000-memory.dmp

memory/2060-1200-0x0000000000400000-0x0000000000785000-memory.dmp

memory/5232-1199-0x0000000005210000-0x00000000052AC000-memory.dmp

memory/2060-1206-0x0000000000400000-0x0000000000785000-memory.dmp

memory/5232-1205-0x0000000004E70000-0x0000000004E80000-memory.dmp

memory/5232-1207-0x0000000005020000-0x000000000502A000-memory.dmp

memory/4252-1208-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/4776-1210-0x0000000000400000-0x0000000000785000-memory.dmp

memory/4252-1209-0x0000000000990000-0x00000000009CC000-memory.dmp