Malware Analysis Report

2024-12-08 00:22

Sample ID 231222-bctx5scbf6
Target 03ba42f27927659605cd8c27962c45a4.bin
SHA256 17a4fe1cd4f50925ee0c692888899c886460fa9717db2bb4ced44172dea45a1f
Tags
google collection discovery evasion persistence phishing spyware stealer themida trojan paypal
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

17a4fe1cd4f50925ee0c692888899c886460fa9717db2bb4ced44172dea45a1f

Threat Level: Known bad

The file 03ba42f27927659605cd8c27962c45a4.bin was found to be: Known bad.

Malicious Activity Summary

google collection discovery evasion persistence phishing spyware stealer themida trojan paypal

Detected google phishing page

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Checks BIOS information in registry

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Checks installed software on the system

Checks whether UAC is enabled

Adds Run key to start application

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Detected potential entity reuse from brand paypal.

Enumerates physical storage devices

Program crash

Unsigned PE

outlook_office_path

Modifies system certificate store

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies registry class

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-22 01:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-22 01:00

Reported

2023-12-22 01:04

Platform

win7-20231215-en

Max time kernel

150s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\edb16ee14ff56f6f5b19f0433d8c47259b52ebc3219e351c7bfd7e3974974bae.exe"

Signatures

Detected google phishing page

phishing google

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\edb16ee14ff56f6f5b19f0433d8c47259b52ebc3219e351c7bfd7e3974974bae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B4E1AD71-A065-11EE-A7E3-F2B23B8A8DD7} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B4DF4C11-A065-11EE-A7E3-F2B23B8A8DD7} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DOMStorage\epicgames.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002213d23592f6d648a137f9bf65c22cfa00000000020000000000106600000001000020000000a56e54a973f26fe18c65e4dee085a2a96302f17005dadcd36b99df99804560f5000000000e8000000002000020000000f13228623e1c5e61d8f322a8f36a8f328ed1b9f9c706c5add8407ad414991f68900000008ed5d90fa963f3479708b05f7c41006bd990e7dd6627c7c892ed7619325be30393aa2a7e7cdafaa2f2a3efe7fcc3e29008cc4e4eb5a32c40e07315445d176ec256eba3c7ac4acabff9d97cebcf9453620afe91f718273f7dfb24276c6f232f28a04ba1b63749f0607c9606bc966f8929a79e38823839415de235e6287ef4bbf637510aa33750c5faeb4ae02dd356b3c9400000004b31bd94546b9cbe48349b79e98dc37c6eb0b44d73278b6fa8111d1d355940aa5d363e13d82271404e114f58010879a6b4a99fda8c16aa3725dfaf77cdcd6de2 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B4DAB061-A065-11EE-A7E3-F2B23B8A8DD7} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B4D827F1-A065-11EE-A7E3-F2B23B8A8DD7} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d09d4e937234da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\edb16ee14ff56f6f5b19f0433d8c47259b52ebc3219e351c7bfd7e3974974bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe
PID 1628 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\edb16ee14ff56f6f5b19f0433d8c47259b52ebc3219e351c7bfd7e3974974bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe
PID 1628 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\edb16ee14ff56f6f5b19f0433d8c47259b52ebc3219e351c7bfd7e3974974bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe
PID 1628 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\edb16ee14ff56f6f5b19f0433d8c47259b52ebc3219e351c7bfd7e3974974bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe
PID 1628 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\edb16ee14ff56f6f5b19f0433d8c47259b52ebc3219e351c7bfd7e3974974bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe
PID 1628 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\edb16ee14ff56f6f5b19f0433d8c47259b52ebc3219e351c7bfd7e3974974bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe
PID 1628 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\edb16ee14ff56f6f5b19f0433d8c47259b52ebc3219e351c7bfd7e3974974bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe
PID 2692 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe
PID 2692 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe
PID 2692 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe
PID 2692 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe
PID 2692 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe
PID 2692 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe
PID 2692 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe
PID 2892 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2892 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files\Internet Explorer\iexplore.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\edb16ee14ff56f6f5b19f0433d8c47259b52ebc3219e351c7bfd7e3974974bae.exe

"C:\Users\Admin\AppData\Local\Temp\edb16ee14ff56f6f5b19f0433d8c47259b52ebc3219e351c7bfd7e3974974bae.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://store.steampowered.com/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://twitter.com/i/flow/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.epicgames.com/id/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.linkedin.com/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.paypal.com/signin

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://steamcommunity.com/openid/loginform

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2616 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2936 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2600 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2708 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2340 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2604 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2720 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 2500

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 store.steampowered.com udp
US 8.8.8.8:53 www.linkedin.com udp
US 8.8.8.8:53 www.epicgames.com udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 www.paypal.com udp
US 13.107.42.14:443 www.linkedin.com tcp
US 151.101.1.21:443 www.paypal.com tcp
US 13.107.42.14:443 www.linkedin.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
GB 104.103.202.103:443 steamcommunity.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
BE 64.233.166.84:443 accounts.google.com tcp
US 151.101.1.21:443 www.paypal.com tcp
GB 104.103.202.103:443 steamcommunity.com tcp
BE 64.233.166.84:443 accounts.google.com tcp
US 104.244.42.1:443 twitter.com tcp
US 104.244.42.1:443 twitter.com tcp
US 2.17.5.46:443 store.steampowered.com tcp
US 2.17.5.46:443 store.steampowered.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
US 44.196.86.250:443 www.epicgames.com tcp
US 44.196.86.250:443 www.epicgames.com tcp
US 8.8.8.8:53 static.licdn.com udp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 facebook.com udp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.35:443 facebook.com tcp
US 8.8.8.8:53 store.cloudflare.steamstatic.com udp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.35:443 facebook.com tcp
US 8.8.8.8:53 community.cloudflare.steamstatic.com udp
GB 88.221.134.88:443 static.licdn.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 www.paypalobjects.com udp
US 172.64.145.151:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 community.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 community.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 community.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 community.cloudflare.steamstatic.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.147.35:443 fbcdn.net tcp
IE 163.70.147.35:443 fbcdn.net tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 community.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 community.cloudflare.steamstatic.com tcp
US 8.8.8.8:53 fbsbx.com udp
IE 163.70.147.35:443 fbsbx.com tcp
IE 163.70.147.35:443 fbsbx.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 community.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 community.cloudflare.steamstatic.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 community.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 community.cloudflare.steamstatic.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 8.8.8.8:53 t.paypal.com udp
US 172.64.145.151:443 community.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 community.cloudflare.steamstatic.com tcp
US 151.101.1.35:443 t.paypal.com tcp
US 151.101.1.35:443 t.paypal.com tcp
US 172.64.145.151:443 community.cloudflare.steamstatic.com tcp
US 172.64.145.151:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
US 104.18.42.105:443 community.cloudflare.steamstatic.com tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
IE 13.224.64.205:80 ocsp.r2m02.amazontrust.com tcp
IE 13.224.64.205:80 ocsp.r2m02.amazontrust.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
GB 142.250.200.4:443 www.google.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
GB 142.250.200.46:443 accounts.youtube.com tcp
GB 142.250.200.46:443 accounts.youtube.com tcp
IE 13.224.68.64:443 static-assets-prod.unrealengine.com tcp
IE 13.224.68.64:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 tracking.epicgames.com udp
US 52.20.222.169:443 tracking.epicgames.com tcp
US 52.20.222.169:443 tracking.epicgames.com tcp
BG 91.92.249.253:50500 tcp
US 8.8.8.8:53 ocsp.r2m03.amazontrust.com udp
IE 13.224.64.205:80 ocsp.r2m03.amazontrust.com tcp
IE 13.224.68.64:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 104.244.42.1:443 twitter.com tcp
US 8.8.8.8:53 play.google.com udp
FR 216.58.204.78:443 play.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe

MD5 7847c11f350d9af69ec71d4a9d1ddcc8
SHA1 2f5007c4b05c06f6e8f83b0a0c1e03813bf6c428
SHA256 9e3c9bd3e23fbb418ee062924e80728372eebfc34be6c2acd059668362785dc2
SHA512 82f5553c2b1b7e38dbad8edfc242ef9a6f9b6797de290293991db836cf843009f1be852837f50b080d32e5e0f2be679560ce4f7d9b5a1298e9fb75b1fc7a3674

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe

MD5 e9f0ff7ee1b04294509070ad3330711f
SHA1 d26f3c7d2576f1e611dca674cee7a4a116fde9e2
SHA256 a6d4a624caca62eec4a4bdd4c4a5e53e2838636f401e45b639807bea7170b022
SHA512 49c1ff4809edde7ff732fc9ec509bba70fc43697ffa6f7858ce891a489e0571bac590886eb7f82fd8aa9717b30f8399573fcd7f760a629b4aac64749897cbd02

\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe

MD5 311275ddb2eeaf14956895692ac16c5b
SHA1 9ad0438bb6b853f8491594b990623378948753bc
SHA256 83dccc62a2405fe5ba9d2f60d9383616eef41a9a25ace78a856c1a6e44627b23
SHA512 e7ce6d8e7e4ed0c366c2b9fc82160e19abe9822113d811fbc90a5bef93f7f81d2b1d5ef6305e8a101bcf3d28506e294e059a1cf58d75b0224434ed31c9db983a

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe

MD5 3e3d29fb971a63cafc1a8378ab68952a
SHA1 2d3cd256a207b09edf585f40c789f1692db3df2c
SHA256 4d52206532cf1fa0d7719e5e65bf0147f42a8153e3e635755ce3560c90e1f389
SHA512 e94d4d1bde9239dc4bdd046b9a2cdccc6e640a936608aab07c3fbf36c082d42ab7b68222061b7601622198c99027df3b56aa91d8f765ef6ecf9fb7c57c1f8e1b

\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe

MD5 5e6ceb382f0ca4c89b0a35a104f77e4a
SHA1 9208a1adbdfcd4854918f0c427c8dcf1bceb5ad6
SHA256 402cc48a5c65b19df103c95caca358b22c44c59ddcfcfb06c67dc404dff8e559
SHA512 24a36fa2470915035382b7d060b1917c21d2788048971d8a703e9ba9b9e99f0834376a5667c72a0e42eb89d5c16b075dfadcd0d2a15c15ce3cfd5ae5222e76fa

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe

MD5 9bae4de9b497adf842e97f6267cd6be4
SHA1 d28a767dd04c4e7a7b8be29b7026f78da6cf5d87
SHA256 9dd980f70ff7eadbb2a2ab54c0ea73136d7beec0c5601edf3caa6467f7a104c3
SHA512 969611fa2ee5e958770d7cefa958a31c52a29e23824743acd38ef9a79410ea94c037f689f841b1c52a95fb32eebd457ad0abca898d2aadc4b588d5e2e0c1a895

\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe

MD5 c22e40f1d55d7b05476516614ae30ac2
SHA1 09a564a27c71acfa4a573604275cb57edcf6df1f
SHA256 876269537b6138e6cec0537fd3edfdf83bca9a59ad20608ddfda16a8c6d46efd
SHA512 54eafc66bd23b5ff4f41881f19ce2bc4158eb47c832833d842d891336a81650bc52010c1cc88169dbd3f4be6fd8d9c9764452710654666ed37b1ced27ff22a7e

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B4DAB061-A065-11EE-A7E3-F2B23B8A8DD7}.dat

MD5 33e11a6de0aedcf4aff16ae56945ffe2
SHA1 6f8b868190bfc345de79cd399e35e7479f697f50
SHA256 8611645355ea0c24b8c8cc8b3e0bb3f546d0ea0e14c124b04b32ac45b07adc09
SHA512 fad6a872fb04e92e1e17510fbd2b0045fce78853458a5b86d9f45bd50ed4258ed08e415a4e19534f670324af78e50d2876cb61b39d7edf1336e80afff7b63cf7

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B4E8D191-A065-11EE-A7E3-F2B23B8A8DD7}.dat

MD5 88393191b9f093778ce6546249bf340c
SHA1 789b164a6dc9316d2112553c870b1397d0790576
SHA256 2d86d9d2a3039729cbe43fcce54a7685d4ebefee0e28c0ff5c4c0ec3baec6cb9
SHA512 f8041af8f3d1a4276a88bb981b00afa466ca27dc5b5f0ac998057086fcf4469f61ef2378f2705f51edd6937bb416bedbb7d1f663f94b44c4192d05353d76fcdb

\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe

MD5 f7355843a30c1df1db9380ac5dfb8ff7
SHA1 aa9a74183ceb435d0b1220effda8aaf5832ea2d6
SHA256 36387b530e611dc74d388d105b8141334e60e48452e331ec788e5659662b881f
SHA512 c6efc073189babe62421194157d9cccaef98af283bce3e3ecc7b56ae0beead31672a533b71cebaf272b2e1a74c0c8d505f15caddc21ebdbaea1b7cd1bf72c81f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe

MD5 74fef3494d5a898b93ff177b772cda0c
SHA1 d7119858bf00d169760a34b4ced12accdb70703f
SHA256 a98df15e5360b7168906f30bf2fcc72e37bce7e48baa50ccadd7690d247754aa
SHA512 0c7535f219ff0bdf2748877f878ebe10884d50147b6f4140d8029f6fc115d6506a75e3d3611ee09a5f4704bdce2fd3087aa5719feb9546ebf9d8b5967a621923

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe

MD5 839aa90712123a37232b5896cca05f71
SHA1 4f1066ea59a79cc4247afdc63243ad4104390532
SHA256 4edb28aeb3783621813681c7df67ba53de866e48aad0ab2857c34f9d32bfb37d
SHA512 4a373bc4b130b429404a947bafe71931e05bb6c7653195ae1295240e663f5b1224ee029f287aee5745e6d4830d264b5b827782cd96f37ed1604fd83d0e84805c

\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe

MD5 a47950ed9ea8344fee0fd656c5cb5923
SHA1 8babc68f521a49ff3f75e1aac9cb48fb479b9ede
SHA256 0a05212d7482a4d811b3d821d1043fdfec5d463c3049d2d0871f742817572984
SHA512 7098ea6fd79c30fe4df54bfc7b9ba4fc07fa1104e5a5f5aa21b2113ae3e57ad10264b1405d707a8298beb1ed0ff39a9b53651e6db533fa2d99d2b3b847d708f7

memory/2692-28-0x0000000002730000-0x0000000002E0A000-memory.dmp

memory/2064-29-0x00000000771A0000-0x00000000771A2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B4DCEAB1-A065-11EE-A7E3-F2B23B8A8DD7}.dat

MD5 7eab863e926d17c1dd01328f27db21b1
SHA1 3887e77bb04f2842ed782cb328c115c55f7aba50
SHA256 7884e336cdf9b8773adda4fa86bab25565b6aeaf3efe3760c42c009b27f00ee7
SHA512 9abddce77e42ce44198abd7da063f5e0b734093b841e383671fb5a5d578af932dd61035f16f4fe10e5f42c5f11888ea889933684f031ce01f4f81674bc2e26ad

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B4DCEAB1-A065-11EE-A7E3-F2B23B8A8DD7}.dat

MD5 e2050c3ea0af338234bb27fca534b493
SHA1 de6181b3e5e6c51ad09d71a16cdf767dacb7dc20
SHA256 9005aed04c98c70756a3f8ecfca1b62af364db265955d9d4541e3f5ddd208645
SHA512 c7b9a28fb07543b2f1562920887cc36c39674d426310868d88e179052d701769061fddad650e03e8f641823816859532fbecc4f53f1a8191c4841b5a5d1e1812

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B4E1AD71-A065-11EE-A7E3-F2B23B8A8DD7}.dat

MD5 d410772114776afd8ace338ccedf06bd
SHA1 1eb3bd20f1e070af6b8d834618465d6454258f03
SHA256 38a61f4a76c2dfe9aa1ce1f510e0e14f46fb411bc3fdff0bea0adb8183e75b62
SHA512 06651a674b2db6f0f65886a46a4b8d85efa661904d010776ea7dcf78cc6bb2c3eea6c39121cf8d5b8bb1139852bdb3a6adf01170c2eb90e42653e804b4640ee4

memory/2064-35-0x00000000002B0000-0x000000000098A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar9963.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\Cab9955.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34b59f54e5679b71fec22b2738eaa7fb
SHA1 15ebcf1f41a3202f96e9fd2c39af8a21b8962cc6
SHA256 e9a79d71e9491800df14396e1aafda1eb531edbe933cb999e065c4caace03bea
SHA512 9f2cc8ab46330d1644e7cadebf877b61756c4415304e85c3fded2546bb6b282954b1e4886115f82fef405d93d880fafa7697bb8cfe54259db52a927ffd6cc32d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 baf4124a8f931f795423696ccbf5e466
SHA1 7d17fb6d9b4dfa16bce67161a07ef373d93f7339
SHA256 96689c65854d08b164a2d8d9d86f71c05109c4c11799a0d5eaea2b6b2b30540f
SHA512 8a3186906087631a6756767cb098b4cb4d078f58f31ae5fa2dab08320b112c29c8ec53d03588addee0aabfafecbcec18738c1f34df00cb974c17125db06059f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 0abd77472ac7bf697cd765a95c0b1f93
SHA1 97e59ab9cf67a9f36a9d1ef618ce18cb180a6050
SHA256 d224306d1a40ade3f8cf0d7e373d03f9a0bcda3f3e8c2e243742d4bb60b316ab
SHA512 cb4dcebeee7cf89314dacd64bc39d005040a167fc9d69200354debe4b729e378e96861551ce1a42a82372cce29ba1304661eb02c78c2520047adc2f04e7dd8b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 79154b99ca9c736c308bf295670498ae
SHA1 13f86192239312b86a8ea9f347aab293dc933910
SHA256 05235c04c189461ea3345834bff5771205275dcd17306f0d34410674e4d2121e
SHA512 8c76ada08aa73855b752eb795b0056c14d9004c6950bc3c5b0e7998a5369242fc879916a41c7ed006f53e82177dea0065ab10133a0ec4ce96e4ecd06cceae3d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 28308b288b73db74d1572f17fa20411b
SHA1 929032ba6e3902ec503b009938fa4fb13214f9f2
SHA256 f07e33126e7d6080d168916fef270873f4bbcd72e0f5477bb66056bb8e487719
SHA512 8e8a04e32b5f4177f009562a0aa4817ad493b321fd38dc4a3c01cdf19f4d9a3d144bc5e8422f39e9b755c6ff5eae67513f7f8464a5660e67a7f24ee7db3c5ac5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 50c2d8ef763b5279a22c751e07d26ced
SHA1 816b32d73b0b320825356a02bcdd1f682585f5ee
SHA256 fc0ae1a44eb380d8c7d5ea021dbc3ebc088478fc0de12577bb77e5d38055ba22
SHA512 14ab11d449bf4c7dde615d04cccd881f25388ae55d16510a3e116c65cbb7ee054fda1853481ab09b243b66eb5cf1993d66206098475703a23f3dfa84490be4e3

C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe

MD5 e0fee990e52392d40c0a4ae442d217c8
SHA1 4139f1c29cc303f5208516536ed95eefcdac2e49
SHA256 b659b2fb3afd31cb7d1391fbe1ba750d4f0e4d7caf560f942507390efb886a5e
SHA512 5aea83a087c4fa3bd8eb3532304cd577bbc71abf99e9a212380bcce454a036ba41dd93f9d955be267617b2e08194d1d2035cd6da011ac84f8a8240be0d8daf0d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 8859069663b51ffeb37a3f089668e5e4
SHA1 b5cbecc3977f26223a8a6eddcb741cbd637d4aba
SHA256 98475770670559472e1526395831e9b2079a07b10662bd9a8ad2f875064bb13c
SHA512 3bf5ad1443f1eb73f8dd5e39b0fa5a3defb5775e23fbf3ff5d960799fbea011b99e5a67d4060a6b00e8cc27d19597efeed6602b0e41e29c3315bd696c19440a4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b8c6d9c96654099ac9c69779e9b3aaf
SHA1 609f4243da1e705ce36dd0b04033214e8b3083ed
SHA256 22e35fa516b09df989dbbd81c33a081cdeeacaf1a4e55a8274b2eb28e029d75d
SHA512 373d469f80fd6abe0d23b163eeb4a34520e63f954ea26a1bcbd9f8dd89be6f2a88e97c22d16a2d192b03b403470a41e798bc56bacd03efed37c417f31a82972a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

MD5 f38ce0a5c7eed582b2c80fbaae7b8820
SHA1 fcc48013332584a5e54451926fb2367c21b94728
SHA256 040d479684b3f0ecf67f5149929a7589c918d7e22b5a2da2aa972c280682e54f
SHA512 3e133effdf7436708169909b68eb8213816657160a0e7ae8543e6d232d079c20e3daea1e2eb49c6135b30a68600c922e90a0092893355148985e1a8880365527

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba08593f4f939ef0d1207ae3e59eef01
SHA1 7d747686b3d9c3068eb3d97021aa28fc2c59f08e
SHA256 d0e058ca72f8e0d6f0c68bfff229c8d2e078c1085d6d3d6b5b4797e8628ac8c0
SHA512 4adaf3cabe14db4e39734c8da3a28948bd9340d1528c3ecd493822ca827421334c929595153c2868b381d59be86424d0c7d42f5fc699047ec3e0d57b66c8d4db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

MD5 71ede7793d7fe3a09e6b972a631ed6a1
SHA1 78a80b685132772f2e9626514aa156ff25276828
SHA256 87eb5204cd352d36d4abba154c693bf3fd727b0a7dcc4b160089f3f351ae83d6
SHA512 75e237111bf2c8b9fe7ed29046ec3b2ef6c0e38cb998c03b80686edf3d4b0f9e386d343035b72e97417d028550b1a9909f5ef993919297b894687ae5aa714934

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45ca988e4c7d4064225d863c1950dd34
SHA1 ee870dddf1830f27d98a266f3b00800192952d2b
SHA256 b2316f686aeda29c4d2de05598733502c5cb5ac906f6a29b814795244f2486f4
SHA512 094e83a8549ce5a7e1621ab6d57a190047f35a228c3a6e6f3c02237bfc00fcb8e0fd8e8bf83874789d466fd8eeeaa87d26ff7c191628f493dd5642c9b1126867

memory/2064-674-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c64a5a3806f6b1b1e9239c92ee4c607b
SHA1 f3ccf1f7e46af1350bb5b1af80ac893c346ac407
SHA256 4482837cfeaa2a2e97592e98756c23d46fe79a16cb3d4a5735cbf3ff4b068e15
SHA512 9c0c1dcfc60aefee199f863ba4372967a57d05ab46ad6ea2062fef59849bfe6880f4a5aee7d6e300cd1c574c124d4e6466200ea38909a77180fbf0e1ab0ad939

\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 eb2a106bf67fbbde5baf000a38e6f397
SHA1 7a0c3eb1e7873f3028d864e41b7c14a6402d280c
SHA256 1d76027d378e9a1c4f736c14c55f5566253bafea01a105ab97c56d735afd7a7b
SHA512 b6682b40addb6627706c0f22252d021d9994ef2d16aa7a096ea7f032537ec70c4608d9a45122ed0d0d026e985427ce3a929d16ff0dde87fd988a34c411f1956a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c99d33b29fd01e610b503398a8c7bef9
SHA1 d1dbd2637e3f9b5324d01a64d853b57ff3bcd81f
SHA256 9954ebee25a81252dbe3c9747c9314e077cf54156f1667411f0946e83c7fe827
SHA512 5e60d1bc66ab495285df08580bbfc9d46418843a1daf69d1b7ab9ae88376062e1e0dbc1bbf3fbe5381f9d6456b6c06463fe28bda6acae7c7ec853c5ea3f8b6dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 71bb3e6fe95ed20d68ab73577b06357a
SHA1 58545fb1ac82ff50c81708bff320f575b97bc7c2
SHA256 8ee3edcabaded3e4f3888a4b7c3ae0d055b476926631ed617de81860c51f98c9
SHA512 41e57f7413d4ec662bc0f50854da0fd15df5ff2339b91820f17271c571c98a8552133e4f579f2c9e7df80c83653b4eca164b09ade5d6ce1ea3625a0c4afe44fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 58f011a0e35f6cf5ce47bd707ccaaae5
SHA1 4ec362d0fd07c2458cf3b6070bd19f3f6b7ac678
SHA256 c451a150489c7973adf7a7a48256c54d9d9cfb3d582e5aa701bef3fe0a195121
SHA512 2d202858eb415f134f834d3eda0384a42f069a4e9639a62aa455ffea1b10b67a72bcab97ae4b76994e6e5e3fb60cd086a4b92036dec65d17cfe1ca7f133cf373

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 4ecba2d62857587531aa2f14f80e6a68
SHA1 af037819fae64726ef8afdc6123afc5b9327c3f1
SHA256 3d1c9af4c8c49f20d5a693b4cd943eb345fa9ae6beca2dfac6c52b461beb4fe1
SHA512 15bd9a70ca3b2c1784cb605de68c057124c70a6b89fa1291f8e683de2501e7e4b3d3798e604db8980a1a97f7872717881d99752f80ffcff4ed23bf6399a7e586

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 e248cd797e8cb9366f4104b3219972d4
SHA1 3e43f005f9f4ded52a27b35cd1bd32d460073f05
SHA256 8a3a3dc3fca8b3b30a66aa4bbeab67c6d92695dca501b1708b814e2daa7a77df
SHA512 6b98ac3db5d1695ef1902e19c48e4a2b5631955c901735943648d1bfbd4ca95a04a656c5f03694c144dd93ccfeec19e7f5260fbd02a53b944db4dad66b037f0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d750a4bea54801f3bbb4476177488d74
SHA1 971679c2f3a8de1e333391074966815da80737e9
SHA256 c1f0bcb6f9eb756b0bd755762b10250266c397bf40f27e68600ea9326f297d70
SHA512 a0e1017cddc5399d3076b16ee499b014b15a2e419a6b5854477eeac387b7c89b3dcee0d50a5ce5882dd2171d24e49d1ea9fbc541731d896d75d56f752be547c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

MD5 26bf7bbfc49583478268995c54072ba9
SHA1 f5b7ae70b9c6df62323f31d6c47fb2afec182e5a
SHA256 356527afedfe2bd2c07550d041ee84115f468f3005217b8486d33bea0ec592a5
SHA512 266ea029b5da22081fc0a4d1000fd24f1aec9881f0f3379c3117aade483c965664cb06f73722de9290a5248090c68c623916b23f9c929d815f87bdd99a3626ad

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YT4IJQ91\shared_global[2].css

MD5 03d63c13dc7643112f36600009ae89bc
SHA1 32eed5ff54c416ec20fb93fe07c5bba54e1635e7
SHA256 0238c6702a52b40bbcd5e637bd5f892cc8f6815bdeb321f92503daaf7c17a894
SHA512 5833c0dbaafd674d0a7165fb8db9b7e4e6457440899f8d7e67987ee2ae528aaa5541b1cc6c9ea723c62d7814fbf283d74838d8f789fe51391ae5c19f6263511d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YT4IJQ91\buttons[1].css

MD5 1abbfee72345b847e0b73a9883886383
SHA1 d1f919987c45f96f8c217927a85ff7e78edf77d6
SHA256 7b456ef87383967d7b709a1facaf1ad2581307f61bfed51eb272ee48f01e9544
SHA512 eddf2714c15e4a3a90aedd84521e527faad792ac5e9a7e9732738fb6a2a613f79e55e70776a1807212363931bda8e5f33ca4414b996ded99d31433e97f722b51

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_9E9C5BD522DEAFF0AF9BF0B0877DDF33

MD5 cf6ec34336d31fa4ee339d7caf5c74d2
SHA1 8add258282fe84301f095800678c573670e06ebf
SHA256 a41fe8dea84fb2f5e5dd84743be7f95085ed96557c3f08c82d9fa6e575bf03ff
SHA512 30edf7b5a8ee9e18d5eb118c537ac58dfbf06e946e126ae4d8f7a6ed464f8c3a4b0f32360b847165f7d214513e8221c750a7b33792e605fb3eb97425f00e5486

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9E9C5BD522DEAFF0AF9BF0B0877DDF33

MD5 4958a192dba5af0fd134cbd41b7fdf9a
SHA1 d8424236bea49d98f150ed736d3d8c8b729dccb0
SHA256 36f34917f29e4e5b8dd8964a4e34162e69a76af78cd175639ff0b575e08a455e
SHA512 f0b67a57022e4730ce2ff62c205e287a77f72e37e5aa45737e8c1f43e2f7819b368a3a7957241d50eb44ba4956f62a472cb389a17da0cdcbcabee0e26dd79268

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_9E9C5BD522DEAFF0AF9BF0B0877DDF33

MD5 8bfdf60a70e64d0b6fa6a8b34db24a9f
SHA1 9fb8bd35afb3b5d836ba436b380c69994e5e9e19
SHA256 20fc1e3d6950615d88586e441653920056dcdd359fae0f157e5297614bd0e634
SHA512 60529b0ad0bb4c512f11a8905e61aece5ca57c167dd8a0fc0d3773e98683c7fc65efd012dd7a62bb702c1cb8d49a0858795f51d1e4ef00044936696b0d57f7cb

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YT4IJQ91\shared_responsive[2].css

MD5 086f049ba7be3b3ab7551f792e4cbce1
SHA1 292c885b0515d7f2f96615284a7c1a4b8a48294a
SHA256 b38fc1074ef68863c2841111b9e20d98ea0305c1e39308dc7ad3a6f3fd39117a
SHA512 645f23b5598d0c38286c2a68268cb0bc60db9f6de7620297f94ba14afe218d18359d124ebb1518d31cd8960baed7870af8fd6960902b1c9496d945247fbb2d78

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YT4IJQ91\shared_global[2].js

MD5 b071221ec5aa935890177637b12770a2
SHA1 135256f1263a82c3db9e15f49c4dbe85e8781508
SHA256 1577e281251acfd83d0a4563b08ec694f14bb56eb99fd3e568e9d42bad5b9f83
SHA512 0e813bde32c3d4dc56187401bb088482b0938214f295058491c41e366334d8136487a1139a03b04cbda0633ba6cd844d28785787917950b92dba7d0f3b264deb

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YT4IJQ91\tooltip[2].js

MD5 72938851e7c2ef7b63299eba0c6752cb
SHA1 b75196bd3a6f9f4dfc1bbf5e43e96874bcd9ce4e
SHA256 e2d4e0e1d3e162fdc815f16dfff9ae9b0a967949f0f3ae371f947d730a3f0661
SHA512 2bb6c03a1335ef9514d0d172a4284d82a29d1783a72306bdcb8af3185d5cd2ff16303355aa4b05086d2fa0b5b7c7159cfa67de4a6175095ff0e68adec2a56ac1

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4R90HQQX\shared_responsive_adapter[2].js

MD5 a52bc800ab6e9df5a05a5153eea29ffb
SHA1 8661643fcbc7498dd7317d100ec62d1c1c6886ff
SHA256 57cfaf9b92c98541f769090cd0229a30013cea7cfafc18519ca654bfae29e14e
SHA512 1bcacd0ec7c3d633d6296fff3325802d6352805f0d2cf1eea39237424229ecffad6cb2aee4248e28b1eca02ff0646b58240851a246bbcf0aa1083830d5d9081e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4R90HQQX\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41802b34db1704053ec462c9f6570de2
SHA1 103ac2dfd3d119806f65a7f90ebb4143f404c338
SHA256 279b7b59a908bece96242b184e70077a8061bb261c9d11b532fba7d998155dd8
SHA512 820e6dcc0cf42bd8ca1a213850a626b763ea161af86ad89a14f0946d83ca6a807c71a205611ec859372ec717a18950d0e6aef0b840cefacbe2f42caf5828f42a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0754325566956373b5ca4ea71a374053
SHA1 a69685d3108d5c725d26f0451d55caa0d532a114
SHA256 bfe326a7a98358c4a5a4ddba1242e4b1a52850ff15ad5a53d03bca975c559c89
SHA512 d69ec5b6f8b54d5427d413d487fa1c461a51137d40d46972812f0f9ee5d93751c6d4273c60cbab4142b5c6ee37999abb2a2d41a207449f80e39817b442a1fc48

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea6caf4f9c043bbaa63ef40007f27a37
SHA1 e0104ac4f045d24319d604a6ca9e2e05fd9e798a
SHA256 c49dc4bee82ee640e9bc4e9b97307f6a77d2afc7922e8fcaaaa123cd17799ac8
SHA512 89aaf17db44c0fb4fb8c5770397c0b88f342179758a66558430b60f4fd55927b2389409bac91d9d0151ca097cf5e2495bf883e65d9d88ede8664dc4d7b2cbaab

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4R90HQQX\favicon[1].ico

MD5 b2ccd167c908a44e1dd69df79382286a
SHA1 d9349f1bdcf3c1556cd77ae1f0029475596342aa
SHA256 19b079c09197fba68d021fa3ba394ec91703909ffd237efa3eb9a2bca13148ec
SHA512 a95feb4454f74d54157e69d1491836655f2fee7991f0f258587e80014f11e2898d466a6d57a574f59f6e155872218829a1a3dc1ad5f078b486e594e08f5a6f8d

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\t83hqs9\imagestore.dat

MD5 f0b785b72dcaf1f6ec7761522a55f680
SHA1 6833a65f96b6b79edf92038711dfd3bd3396f40a
SHA256 1dcafb50b7e080f64f4061123477bfb519facb746bd5ce286020da7e37fabe37
SHA512 bae512f47030b7758b79f10b9583d9392b1f99ddfb1f0359a7a41921645a8836a01e91da46abc4ffd5947dfcb79787a06075a1eb8c2cc9219a525e65795901ee

memory/2064-2015-0x0000000000DB0000-0x0000000000DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6WEH2YLI\pp_favicon_x[1].ico

MD5 e1528b5176081f0ed963ec8397bc8fd3
SHA1 ff60afd001e924511e9b6f12c57b6bf26821fc1e
SHA256 1690c4e20869c3763b7fc111e2f94035b0a7ee830311dd680ac91421daad3667
SHA512 acf71864e2844907752901eeeaf5c5648d9f6acf3b73a2fb91e580bee67a04ffe83bc2c984a9464732123bc43a3594007691653271ba94f95f7e1179f4146212

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6WEH2YLI\favicon[2].ico

MD5 f2a495d85735b9a0ac65deb19c129985
SHA1 f2e22853e5da3e1017d5e1e319eeefe4f622e8c8
SHA256 8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d
SHA512 6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E25VF8N4\favicon[1].ico

MD5 231913fdebabcbe65f4b0052372bde56
SHA1 553909d080e4f210b64dc73292f3a111d5a0781f
SHA256 9f890a9debcdfccc339149a7943be9aff9e4c9203c2fa37d5671a5b2c88503ad
SHA512 7b11b709968c5a52b9b60189fb534f5df56912417243820e9d1c00c97f4bd6d0835f2cdf574d0c36ecb32dbbf5fc397324df54f7fdf9e1b062b5dbda2c02e919

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6WEH2YLI\favicon[4].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E25VF8N4\epic-favicon-96x96[1].png

MD5 c94a0e93b5daa0eec052b89000774086
SHA1 cb4acc8cfedd95353aa8defde0a82b100ab27f72
SHA256 3f51f3fb508f0d0361b722345974969576daef2c7d3db8f97c4ca8e1ff1a1775
SHA512 f676705e63f89d76520637b788f3bac96d177d1be7f9762aeb8d5d1554afd7666cbd6ef22ce08f581eb59bd383dd1971896231264bc3eaabf21135c967930240

C:\Users\Admin\AppData\Local\Temp\tempAVSrvmYVRRGkHbC\1eM6HAej3hftWeb Data

MD5 38a918d4a69a50fed0c73514cf46360c
SHA1 4eb300432ac32153a8653f6ecf1a4f49f1704609
SHA256 553a0a40f1c41da21597416a6bc540f5054b3c90a1b7ba7a3c79952338c24a6a
SHA512 c19fd6815bda5c0f315bd0ff3f43a4951173e2d9d04f719f0c8fc93743e007903bf66c9a59c5af6804cf83f94b6e9a6d8859eb4bb06c23154613454d43db3e7f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce4713ca288bb46d201bab8266dc5963
SHA1 709d4638942458481ef138ddd4fb594e33c058f2
SHA256 cf2086d1d246845aabbce534c075697f2c7b143b56e72d6dbf18882a22caabfb
SHA512 46b3dc0c8c0097ac826ee0e2285e3bbef8e0a6e9cc7a4266be5a4f530b50cc5095adee4b93b916e05535cb19c0f867fe0c9469f3c16b6ed0fc1103a9c2f7d358

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa02334d71834e25a43f646b5bbe2a60
SHA1 4f3e83278240bec60ef9f3ddccd64cac280b6613
SHA256 3a437cf7af2e023ee8047a57cadf96a8b072ebe8069e92acc9aee4312aa4b2eb
SHA512 3636320abfc38c0d081801092d52b0c8aaba1cbed590608fabd038ca21a36c1bf3f67c5c95578f1e844acaf05234386d4df9ff97715f0541ecf907c49023146e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f415e062d166a6f86fcfb01bd8a27032
SHA1 0c6a482563476eb1875dd681887741acdc33088f
SHA256 4ff5af613bca6806040c25c9cfcc548608b854286e853a53d8f2998ace5f410e
SHA512 e109cbe1988e4187dcd4b6c8fa013ee2e6bf12bbf51a6957340a049eebbcd07b093680da78994349bc0eaaedfe395e5d5812b8dfbc343f356ba3a0447ebc1343

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31ba11f39a1d378087de80568a2ae1dd
SHA1 e87416ad72e48e9e41b0c3ad5500b3f24c876060
SHA256 3021453da526f1d6db959e7d965e8148b5fa501392cf916820257aa4c781dff5
SHA512 89dce965e5a543b296f521a3de1ba5b7dd44db3d98752e6b23328dd2c4603cab53f8331bd518c75accf438a2c5ca060b5a79f6bd15e11c68f200d1496ca92df9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6306463ce38624bb5e04e52ef6cb132
SHA1 47f7337156e2c5953c58dc95d6f27f3f27688ffd
SHA256 8035b7659473a6d395b513423ab7d3dac5c02f1b23ffed8757f30978bd0b3aa0
SHA512 3ea57af4c6c456e3b25c8880793a5a7157ecbd0e1dfb1dc7e723ea7d71efa317d6af8880372696ee3f61f8e1f3201c853f97b09b75e4b37d8d938947c51e815c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e330dc78104e26b838568db05eed0b5b
SHA1 8d6c95aa466730717f4ced0b11827ac0c8d37e0b
SHA256 cb073ad73fcd48489e55b6d6c3a7529916e00743d792a5569edbaa3f811922df
SHA512 ea458971a817f2975973f497b2a6c19695bd1ead2db0964c6a01247a473b734d34a6463ff38b17c068cc68eb84c3cd52231110aecff1cec014d308ed88d9c702

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aadf1be4a5925b2cbe405b2386df2ea3
SHA1 2bbcbb3da8fe5b344857e1242d73eb52c174cc13
SHA256 fa872ce257daaede9f193798a02b7afc6e3efd15cbd0d4abf69e6c89aa7a8022
SHA512 2eee151cbc8b6e298321d15c6411ad20f760ca6dd97984332eab077d6e92f5f439cb05930acccbc67d806bb6765b59549fb88538bdc496b9eb3fc01e17e531f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 609085e553bd8a7636d4efc3e206bc0c
SHA1 3a8b6257455a40e00053df26827846cfc6788fdf
SHA256 e3d79f087c9d627a1354aeae0e138662f35ae28e9d05274a6f3b566ed2c142a8
SHA512 187b43df91b886bc27d9b06eac1bb71c8faa8c0c821ba2fb9f64116f73e6036a628ab3c088c68d555b2c30ea2a3b0a7631e5eaf3bbf0221a4b51391dc5a1e89b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2db24ad39071706afff6119a981b033
SHA1 f16061b4bd75972ffab5aa85f77030a78a897213
SHA256 37fd368a6cf5d13d5e9deee3cf432844cb263376a7e91ed4a7142212d8181a07
SHA512 e1091ce2aa67604a506c36033d1b84b76fde462744eee7f142de284d8ce8853c7216f4e5526045bfc4eae72b8aa53778671c3dc24df9b3b48584150614eef8d7

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-22 01:00

Reported

2023-12-22 01:03

Platform

win10v2004-20231215-en

Max time kernel

152s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\edb16ee14ff56f6f5b19f0433d8c47259b52ebc3219e351c7bfd7e3974974bae.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\edb16ee14ff56f6f5b19f0433d8c47259b52ebc3219e351c7bfd7e3974974bae.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Detected potential entity reuse from brand paypal.

phishing paypal

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2398549320-3657759451-817663969-1000\{7E6F6398-1D67-44B9-8D95-2A6FCCF6756C} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3656 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\edb16ee14ff56f6f5b19f0433d8c47259b52ebc3219e351c7bfd7e3974974bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe
PID 3656 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\edb16ee14ff56f6f5b19f0433d8c47259b52ebc3219e351c7bfd7e3974974bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe
PID 3656 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\edb16ee14ff56f6f5b19f0433d8c47259b52ebc3219e351c7bfd7e3974974bae.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe
PID 2232 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe
PID 2232 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe
PID 2232 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe
PID 2472 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2472 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2744 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2744 wrote to memory of 1664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4056 wrote to memory of 1012 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4056 wrote to memory of 1012 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2556 wrote to memory of 3408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2556 wrote to memory of 3408 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2232 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe
PID 2232 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe
PID 2232 wrote to memory of 4776 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe
PID 1280 wrote to memory of 540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1280 wrote to memory of 540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4400 wrote to memory of 3800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4400 wrote to memory of 3800 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3568 wrote to memory of 4376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3568 wrote to memory of 4376 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4448 wrote to memory of 748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4448 wrote to memory of 748 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5056 wrote to memory of 4760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5056 wrote to memory of 4760 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 3540 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5056 wrote to memory of 5000 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5056 wrote to memory of 5000 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5056 wrote to memory of 5000 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5056 wrote to memory of 5000 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5056 wrote to memory of 5000 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5056 wrote to memory of 5000 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5056 wrote to memory of 5000 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5056 wrote to memory of 5000 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5056 wrote to memory of 5000 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5056 wrote to memory of 5000 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5056 wrote to memory of 5000 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5056 wrote to memory of 5000 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5056 wrote to memory of 5000 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5056 wrote to memory of 5000 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5056 wrote to memory of 5000 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5056 wrote to memory of 5000 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5056 wrote to memory of 5000 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5056 wrote to memory of 5000 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5056 wrote to memory of 5000 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\edb16ee14ff56f6f5b19f0433d8c47259b52ebc3219e351c7bfd7e3974974bae.exe

"C:\Users\Admin\AppData\Local\Temp\edb16ee14ff56f6f5b19f0433d8c47259b52ebc3219e351c7bfd7e3974974bae.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://store.steampowered.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://twitter.com/i/flow/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://steamcommunity.com/openid/loginform

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.epicgames.com/id/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.paypal.com/signin

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.linkedin.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffef5c146f8,0x7ffef5c14708,0x7ffef5c14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffef5c146f8,0x7ffef5c14708,0x7ffef5c14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x130,0x16c,0x7ffef5c146f8,0x7ffef5c14708,0x7ffef5c14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffef5c146f8,0x7ffef5c14708,0x7ffef5c14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffef5c146f8,0x7ffef5c14708,0x7ffef5c14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffef5c146f8,0x7ffef5c14708,0x7ffef5c14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x144,0x16c,0x7ffef5c146f8,0x7ffef5c14708,0x7ffef5c14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffef5c146f8,0x7ffef5c14708,0x7ffef5c14718

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffef5c146f8,0x7ffef5c14708,0x7ffef5c14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1932 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,13969448040272056158,13812341461042757157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,5067312036515100701,11073188558310105316,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,3280133620214508146,4564407801310675040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,5067312036515100701,11073188558310105316,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1940 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,3280133620214508146,4564407801310675040,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,17869375177226870398,8741842620156257574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,17869375177226870398,8741842620156257574,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,13969448040272056158,13812341461042757157,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2516 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,5407641893521006293,5661779291651121541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,5407641893521006293,5661779291651121541,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,6464092363731973680,15758815353587677150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,6464092363731973680,15758815353587677150,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1472,4479016237699402039,1026625337254206562,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1472,4479016237699402039,1026625337254206562,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,12668267040946170317,10672715183779605974,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8088 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8984 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8044 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8044 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8868 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7860 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7524 /prefetch:8

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4448 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8568 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,10675780524985235638,7452229860743252971,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2744 /prefetch:2

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.linkedin.com udp
US 8.8.8.8:53 www.epicgames.com udp
BE 64.233.167.84:443 accounts.google.com tcp
BE 64.233.167.84:443 accounts.google.com tcp
US 13.107.42.14:443 www.linkedin.com tcp
US 13.107.42.14:443 www.linkedin.com tcp
US 44.215.97.184:443 www.epicgames.com tcp
US 44.215.97.184:443 www.epicgames.com tcp
US 8.8.8.8:53 www.paypal.com udp
US 8.8.8.8:53 store.steampowered.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 www.youtube.com udp
US 2.17.5.46:443 store.steampowered.com tcp
US 2.17.5.46:443 store.steampowered.com tcp
US 151.101.1.21:443 www.paypal.com tcp
US 151.101.1.21:443 www.paypal.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
US 8.8.8.8:53 14.42.107.13.in-addr.arpa udp
US 8.8.8.8:53 21.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 238.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 46.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 184.97.215.44.in-addr.arpa udp
US 8.8.8.8:53 84.167.233.64.in-addr.arpa udp
US 104.244.42.1:443 twitter.com tcp
US 104.244.42.1:443 twitter.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
GB 157.240.221.35:443 www.facebook.com tcp
GB 104.103.202.103:443 steamcommunity.com tcp
GB 104.103.202.103:443 steamcommunity.com tcp
BE 64.233.167.84:443 accounts.google.com udp
US 8.8.8.8:53 static.licdn.com udp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
GB 88.221.134.88:443 static.licdn.com tcp
US 8.8.8.8:53 1.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 103.202.103.104.in-addr.arpa udp
US 8.8.8.8:53 88.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 81.171.66.18.in-addr.arpa udp
GB 216.58.212.238:443 www.youtube.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 i.ytimg.com udp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
IE 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 142.250.179.246:443 i.ytimg.com tcp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
GB 104.77.160.221:443 community.akamai.steamstatic.com tcp
US 8.8.8.8:53 www.paypalobjects.com udp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 192.229.221.25:443 www.paypalobjects.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
GB 104.77.160.220:443 store.akamai.steamstatic.com tcp
US 8.8.8.8:53 23.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 246.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 api.twitter.com udp
US 8.8.8.8:53 api.x.com udp
US 8.8.8.8:53 abs.twimg.com udp
US 104.244.42.194:443 api.twitter.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 172.64.150.242:443 api.x.com tcp
US 8.8.8.8:53 video.twimg.com udp
US 8.8.8.8:53 t.co udp
US 8.8.8.8:53 pbs.twimg.com udp
US 93.184.220.70:443 pbs.twimg.com tcp
US 104.244.42.133:443 t.co tcp
US 68.232.34.217:443 video.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
US 8.8.8.8:53 tracking.epicgames.com udp
US 54.89.57.250:443 tracking.epicgames.com tcp
IE 13.224.68.64:443 static-assets-prod.unrealengine.com tcp
IE 13.224.68.64:443 static-assets-prod.unrealengine.com tcp
US 8.8.8.8:53 facebook.com udp
IE 163.70.147.35:443 facebook.com tcp
US 8.8.8.8:53 221.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 25.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 220.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 194.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 141.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 242.150.64.172.in-addr.arpa udp
US 8.8.8.8:53 70.220.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 217.34.232.68.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 64.68.224.13.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 250.57.89.54.in-addr.arpa udp
US 8.8.8.8:53 35.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
GB 96.17.179.184:80 apps.identrust.com tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 184.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
IE 163.70.147.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
BG 91.92.249.253:50500 tcp
US 8.8.8.8:53 253.249.92.91.in-addr.arpa udp
US 192.229.221.25:443 www.paypalobjects.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 www.recaptcha.net udp
US 8.8.8.8:53 c.paypal.com udp
GB 172.217.16.227:443 www.recaptcha.net tcp
GB 172.217.16.227:443 www.recaptcha.net tcp
US 192.55.233.1:443 tcp
US 192.55.233.1:443 tcp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
FR 216.58.204.78:443 play.google.com tcp
FR 216.58.204.78:443 play.google.com udp
US 8.8.8.8:53 sentry.io udp
US 35.186.247.156:443 sentry.io tcp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 156.247.186.35.in-addr.arpa udp
US 8.8.8.8:53 t.paypal.com udp
US 8.8.8.8:53 b.stats.paypal.com udp
US 8.8.8.8:53 c6.paypal.com udp
US 151.101.1.35:443 c6.paypal.com tcp
US 64.4.245.84:443 b.stats.paypal.com tcp
US 8.8.8.8:53 35.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 84.245.4.64.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 api.steampowered.com udp
GB 104.103.202.103:443 api.steampowered.com tcp
US 104.244.42.194:443 api.twitter.com tcp
US 35.186.247.156:443 sentry.io udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 dub.stats.paypal.com udp
US 64.4.245.84:443 dub.stats.paypal.com tcp
US 8.8.8.8:53 store.akamai.steamstatic.com udp
US 8.8.8.8:53 community.akamai.steamstatic.com udp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
GB 104.77.160.220:443 community.akamai.steamstatic.com tcp
BE 64.233.166.84:443 accounts.google.com udp
US 8.8.8.8:53 84.166.233.64.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.200.4:443 www.google.com tcp
US 8.8.8.8:53 www.paypalobjects.com udp
GB 172.217.16.227:443 www.recaptcha.net udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp
FR 216.58.204.78:443 play.google.com udp
US 8.8.8.8:53 static-assets-prod.unrealengine.com udp
GB 172.217.16.227:443 www.recaptcha.net udp
US 8.8.8.8:53 www.epicgames.com udp
IE 13.224.68.47:443 static-assets-prod.unrealengine.com tcp
US 184.73.65.24:443 www.epicgames.com tcp
US 8.8.8.8:53 47.68.224.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pg7gN10.exe

MD5 82cb856847829c2c2b299d889fd53c5d
SHA1 918c522499a0b3c47270f07106857f933045b3b5
SHA256 c214bac16a7a3797d7b324a0d4a1dfcfbb9c7e7d7d45a6825f65c0a5c0bba253
SHA512 db8e35fc67d8cb30f640609ff8db744136bf6ed412e6b9a588a4b0a0fb6c71c291270994f94a47b623b788dc6eb39c3aaf1605190e2be31a1d8fa58e906bdc5d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1nC09rP1.exe

MD5 c22e40f1d55d7b05476516614ae30ac2
SHA1 09a564a27c71acfa4a573604275cb57edcf6df1f
SHA256 876269537b6138e6cec0537fd3edfdf83bca9a59ad20608ddfda16a8c6d46efd
SHA512 54eafc66bd23b5ff4f41881f19ce2bc4158eb47c832833d842d891336a81650bc52010c1cc88169dbd3f4be6fd8d9c9764452710654666ed37b1ced27ff22a7e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe

MD5 a2a10ea7780e274692d913c4ba07be05
SHA1 a11c2c4d9f9ff04298badb9bd5117431d0ea1361
SHA256 e87d322efcd5154fc25891f92a61d6b01095c6d7ed1a8a5918be59660a1e4bc0
SHA512 7bbb19e08aa04c794490faee7c020fa3a06080250b05e68b490c23418355d0fd90147ebf6c79e48d9abfd9cc911e329a9604f9d64431620ec701c136d741fec5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\4nq048LN.exe

MD5 2fc251068fbd69182ec0afdc9f1a3d3c
SHA1 908333a19b486d5910e6155101eefab2d763cc9f
SHA256 38e9f68a58051527ae6096335f9399bfbc1c6b6e4be86e56971a92b700e76b2b
SHA512 b950d54f0279d4126f04fd6ccb9596f2179c8d8f36daa2c905ad2b27e77c216d9dbd80cd4cf948ffeaa69e75016bd863fb79b3d1a0b81aa1f982cd6b8a400a6e

memory/4776-17-0x00000000003F0000-0x0000000000ACA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 51ccd7d9a9392ebca4c1ae898d683d2f
SHA1 f4943c31cc7f0ca3078e57e0ebea424fbd9691c4
SHA256 e36c7d688cd7d187eacc4fc1ccdd2968de91cee60f15ecb0e0d874da07be7665
SHA512 e3773c19314c66f09c0f556ade29cd63d84cc778be64060a570eed8f6c7918b7d09d2694d9e2d379bdaecb4e20cb140749a8111ef267c67a620d64cb598e0619

memory/4776-31-0x0000000076EF0000-0x0000000076FE0000-memory.dmp

memory/4776-34-0x0000000076EF0000-0x0000000076FE0000-memory.dmp

memory/4776-37-0x0000000076EF0000-0x0000000076FE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7a5862a0ca86c0a4e8e0b30261858e1f
SHA1 ee490d28e155806d255e0f17be72509be750bf97
SHA256 92b4c004a9ec97ccf7a19955926982bac099f3b438cd46063bb9bf5ac7814a4b
SHA512 0089df12ed908b4925ba838e07128987afe1c9235097b62855122a03ca6d34d7c75fe4c30e68581c946b77252e7edf1dd66481e20c0a9cccd37e0a4fe4f0a6fe

memory/4776-73-0x0000000077214000-0x0000000077216000-memory.dmp

memory/4776-86-0x00000000003F0000-0x0000000000ACA000-memory.dmp

\??\pipe\LOCAL\crashpad_4448_SWZUVEAFOGKNFXPQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4776-136-0x0000000007960000-0x00000000079D6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5f3d504a29581d4c33aa02e9fbdd8beb
SHA1 0c3484b0d90b77efb3024e205a1137266273180b
SHA256 35e3fbbd1042d7ce346f7336f7099cba0a062b9eef76ea75a2be71736e7a517c
SHA512 7cfdaf89467de1e2ebf094406f88bdc9f26abb020135d7c0dde9e90691f5a25a9864864784f2b3c4be4ec2748e839a5e6c92047a5d9514174df003f78bdb3a71

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3a2d8e57be76f0521252f8bbf8c5b4f6
SHA1 7a84c7698762e49b022c9029cf3fa94c2647ac68
SHA256 01034485d5de290f6657b095c88d8d04005011ec067dd436634c6bd85b994d71
SHA512 935dea22f4cd6ae93a9d572d7cb87e3e603ee7cf0ff2845f6a70259d1bc8013348838213e1f6cdf9876d93a81197b5abf10667b309f9ba9fe6e655fed3444b8a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\66c100b7-6686-4caa-8138-6ae517cc0dd1.tmp

MD5 8790025fbc1c50663a80b8ca1c088605
SHA1 3d0c072a455d689e917fa2df3769d2daefc1a90d
SHA256 74bacea70b71f1c72a7fafa070b918bd6f9a2f92a00d2d6472efa1dd2280dc7b
SHA512 633ba9c1fdd3e3e53ce250628fe7a0e2fc85a24649d73a55c658ecc67698d53ce9ca3b02c9e76886a526e7a1a5b1ecc39981b03f7da3d4645bfb11d2e017d6f9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fed7953ffdf49d31122aa1ce4fcbc698
SHA1 c50e958765a66d079a9050cb671e182583d6ceb3
SHA256 aacaaab8d4099e3ebcf8ff2829d46463e84124d442e795bc84302174dc39c4ca
SHA512 aa44c9c78164396cd0398dcce2a5e9134c36ada58d8281c412b124f15b20949d750f18bef14dff45d2ce5bef21ee41f36ccb604aed69944a722e22411bb862b3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 726e573328d0b0d30b2a59148f7bd34e
SHA1 5b0335c65638ab3bbd0f6ab7c4e6c3da6464e015
SHA256 c3c10f8d24abb22f9026fad251ee926125f479e27e9e610ebe5f08905b09c9c8
SHA512 b4a68e0dc82235c0341c63c3a7e0ae77a1bb174015d629434e0c6e18042dcbc246da3cac23214f455c6487c98b2f2ca0dc0b553592a9defd3af296a30eefdecf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 408e33270b88534a13fb8fdd3c6ade73
SHA1 b36ff4ccbc91ca4226d19e6fc3ca6d850fa5748a
SHA256 d6ba6f719195093c43f8e9c5061e8e80f4493b9591a36e6aca395f29bb00a8e3
SHA512 4270b8ebc94d652a46ab7d24e0a580b0ccd98331616196d1cb9458765aaec62f5a4e0584307446581cc5aa6f2b1e461f1101783037dbb719c9dda33388ceafd3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\8e565524-58b6-44fc-8334-2a28365e3113.tmp

MD5 07a1e693b300bf54398deebf325903fe
SHA1 b816a6352a49faf9641d0f47aebace9ab0b51605
SHA256 4df8385513efb16b4b745492b8c6a0fd83bfa28d3d0b0fd51542316bbec39beb
SHA512 4b0ed12790e844279b9de03fbdacd12deb52a48b65931f0e67618514b096813962760f70f369acbe8335c07bd40c12d56db1f2d18d402a0e446ed6c979a87984

memory/4776-241-0x00000000003F0000-0x0000000000ACA000-memory.dmp

memory/4776-242-0x0000000076EF0000-0x0000000076FE0000-memory.dmp

memory/4776-243-0x0000000076EF0000-0x0000000076FE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 da044811ca4ac1cc04b14153dccbbf37
SHA1 6495d9b495010f8c79116e519a8784e342141b8a
SHA256 7c31979024f0d5873af50e66b541135b095a0958d7c0203e01f366cfb2a8d1b8
SHA512 0352129b629768f0192f58e43ac097758f3aae0236de363638ce14a994bdb0f17e31882f6ae7a93643222f542ffb21cf492d3c18dbaf6ec5822c45a8c2ce33d5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 1ceaf18da0082ce3f5aba32339de13e8
SHA1 69485d91548b18d5cb31b42a7385749c87f16377
SHA256 5900e0d77e61dc8028a019f33477283c816468b735779237f6aead81b6ccca71
SHA512 a4ad2147c5fa6559e4e8dc0224faafc57e51e88d069275c49a3b9ea3461326b06571a903ae3671b3257c01a91bce970dc2df3200c84b204c2bb8f33afaac512a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ba856ca761aec71309b47615b94c0d20
SHA1 04bae8e42710d6385bdd625fe07baa2dd72e9a88
SHA256 ced72d9352aee261393fb59c99d87bfecaa60585c36465fff55e5b9ac04c566d
SHA512 0a0be9668235d4da725fcf70ccb71eba77a5697f0de907768e7bddac3e2774d4806eec32f9ee27834ab3ae5ee7048cc45b395a1ecec2903b8a59c1cc82153d73

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c800741ad6775facc2de8b076a0fd63e
SHA1 fca0c3c6603a3f0c8960736515589c1b11451748
SHA256 8afd7e33accffcd474dd5fce3b7fc90507f32afa3302c79f9006791f32ce31bf
SHA512 93ab4a0b3b4ff8447aff8e40a493c2574549390c97f44e86f44b019b4e81fdae43c98177e039f2430cd186804bf16fbaebc90e6c48464fe1c3e02d5d3671ea23

memory/4776-415-0x0000000076EF0000-0x0000000076FE0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 889664c35c82bd2a2b2a6ceb2ca99ae5
SHA1 c86a65e2881dc53bec1ff06065a50ff126a8fe58
SHA256 4bdf8b8c77b0cac64c54e669679ff70652a31e6a2a252309f6f4ffd9aa7fa63e
SHA512 82b1ae46d98ba7e2567ffb167897393aa4226d5c4e896517eabdf45aea7c3370e0c107c423f7c522c95fe66707e0aadee8300cc2c853a5fc5fb1d59d51885569

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 de71524c4f49a04186fe7a34cd6ddb46
SHA1 bc2db2afdd183a88aee864e4646eb9163a533c14
SHA256 3c32815e5ed1ad561d08231a2da701596c37414af75e0275b06caffbe937fda2
SHA512 724998bccc6d10f0f4e8add1561d80ae77f3f56bf35f46ba0a522372a061dd02caa7fd0dc6bb46d52e5176b83ae5612eb9077364f23cb19e245f719cdabe4824

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 52826cef6409f67b78148b75e442b5ea
SHA1 a675db110aae767f5910511751cc3992cddcc393
SHA256 98fc43994599573e7181c849e5865f23b4f05f85c1115dff53c58764d80373fb
SHA512 f18df18cab6b5ecd71b79c81a2a1fdac42cc9960f62f06ac25f4d6487792705f2766ee3a10239eaac940d090186e6bc820e4eb7a5ee138f6e5c1c64f951b960c

memory/4776-619-0x0000000008800000-0x000000000881E000-memory.dmp

memory/4776-659-0x0000000008D50000-0x00000000090A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tempAVS8JzjxS7dsllj\rLgrlWmngxrlWeb Data

MD5 b90cf1a5a3c72c72847629841bd1436c
SHA1 ba20945b425a6026feb6bb52e5470d3f5fbcc867
SHA256 e9b8ea92b52b3bb5ebf786c9d348c1b88cc33daf00e4acf1e479e66f163d3d70
SHA512 0121cbe71ac505d8fd4fffbb9efebdeffa39d7b0f92a41860d9ec3a352b7ea5794817d56295b483062955e8a353988c9c1bffa59e6eff374dbcab0f8a81d7937

C:\Users\Admin\AppData\Local\Temp\tempAVS8JzjxS7dsllj\ylYvN5txTcHJWeb Data

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

memory/4776-724-0x00000000055D0000-0x0000000005636000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 30c29cba7233363283a050ee16062657
SHA1 d9d7cfd3ebbe2b01b6d9c89d10dc7022a1019b08
SHA256 dc9023fdad4a85b1a63742d1c18f6cbcd63295a55423a88ff88c988b69838ff7
SHA512 22645965bb7a98e09645ee8f300bded75ea811dc7c0a937b9fbdc44841fd6e6b029745badb56435236cac3cbfa26df18250f2aa1ef9ad307a902f6212ca6342b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 01d148413ab29ee4de5781b35d37d9ce
SHA1 a68d57d90b22279794b7f51fc34268546bea7f7c
SHA256 9f907337eaf617dd86127ba2d51df32c89670d92612e15adf850fc347815d35b
SHA512 88d7408dd1eed02b05b77fbe066b2940d3888b099e6e0485c5ffcb62b3131233f74eb106eca2866746d914003d1837724bc8f814a041fb281773fe719db7b6ce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe592968.TMP

MD5 ad421d012481de556d031d35db3555b4
SHA1 d28b87f4441dab0dff01c9a3f295c1498709a37c
SHA256 b085447db65bb88e13ab00c8011bac8a21f731cc14b9166946e6d5afcb1e0c2a
SHA512 9aff6adfd94a3e6d4bf1681686af914bada898546a8fcbe8447067b0c5286224012a02c142f110aaef9416a028a49bdf9f45f32c0825f85c29a32a50e25c0532

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 01d2e7dd0b69847597a5a0cb02b6ee15
SHA1 aa09e04bd726e5c627295612129987064c29716b
SHA256 2684301e397b39d6dcabbdabd4357d175b7784a86b77564c52a784fe797dada1
SHA512 4104e865ed9c0db02a6c2de9d8ef28c4777a89d994153f5dbdbaeb3de532464428860e0314686a81a93490d3bde18076e6bb2c28fd8deb74842ab9fbf3e590f5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 16bd506e3909a344282c92665786fa67
SHA1 562cc04d025dfba1943746e64ba31e26e2dbc1b0
SHA256 6b3b3777a46b486665bbaf788c83d8a41e3fbddc239f6ac3c92f183046645aeb
SHA512 cacf636b9604c16dfe17cede39af81ec5203d2b70ee9e1a6eff2c2a289ebd72eeea0da347c4d5fdf830de961d5f1361223815f92adb2f8a4e07f3a39bff0a08e

memory/4408-857-0x000002F69A250000-0x000002F69A270000-memory.dmp

memory/4408-860-0x000002F69A210000-0x000002F69A230000-memory.dmp

memory/4408-864-0x000002F69A620000-0x000002F69A640000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_twitter.com_0.indexeddb.leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 7bf6dbdf181b7d395d73eaa1a542a4ea
SHA1 b3ae5c1e35772dbe13460b3b3a5820c3910215ba
SHA256 279cba8c455a83bf1c07ae947d2242f6c9cdf4ff8a3c613b88d5f1ff061b4cd3
SHA512 30a4b2b2db68f477d57d1f4a543fbf97f737c1bf176ddb397168649f220191d82cd9642fc507a368cb74aa46adbe97b95f381aad34651e01ed19495fec6b754a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 9782312dd6a9e115ca94c41aa8a62ee0
SHA1 7ee8f44a375a26c182b55352054e9f27822db7ea
SHA256 2821bab59d0064890054db4c99ff00dd530b7cf4d532e0c2bdb560694631acd3
SHA512 f61689f940ef2628b318b30732500565531830a3210f024cec130795295a4dbedd5eebc6d1807a8751534fae2da70de2992a1b8d5c4db22afe1fcda4c3cc1c75

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 6adecc8f8cde7af20f158a2405dd39d0
SHA1 ae4c3485f41d1153c71fa758b262c6bf836eb475
SHA256 ee4d78415585a083de4dfb30f7617e7d602e3a0e7ad8528fd08e11bbabdac709
SHA512 1b20d5f983e9d2e4655fa2601a41aa846ce3935352626021c79acc159ca204a8512e8eeff4ce0147ca019b2b0402762c8718c75f7947e9b9301a5082666d784b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 36266075a23db02598db006cac53d631
SHA1 e00972ea4df0ef57cca7bf3e1ea1c4eed86e0947
SHA256 32446cd9c8086d1c4b4eba9c1b93d4fdfbbeefa8e8b6de421e7e01b8c59c87a2
SHA512 b10e31ff7b8a17598597be541aa90164edf28f0bd239f193ea40f18f2342e7344013c9277ad19d006b65c47872dbf24895e1d67be80bbe03e7baf36f06f2b756

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 4e57d2b581e169cbccf6c4f3cdc79429
SHA1 ed58db400191e261bfcca358c36cbdbf8929d509
SHA256 2c78441403e5d8dab7ee110ec2e4a0ed6dbeb320b64b898121ab5255a524473e
SHA512 50a4fd33eb320c07032f3784a730a7e031d1d70ce97e157218bf9747d9393bb661a94eac4ad03bed8dc28e9581713438f440285a26345108675b32f4dcfe0ad9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 24fe73a86709d530a3ef0d54ab089d21
SHA1 6aad6ffd0e35c94fcc7928d570f345c0d629b400
SHA256 e51847f20a51b702a886e88c4e1076bde4c819a9d1f257379f9b4c46f9ef4a8a
SHA512 b018001797682f02da5ac24970c73c990dc3d2c9aef1e9c057e06ba68592c5c8a0b4ed7a3d98a4f2d76fe13eaf783b897a46842de8a653dcc9ae291b78911038