Malware Analysis Report

2024-11-16 15:50

Sample ID 240206-lla7hafaap
Target 94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233
SHA256 94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233
Tags
google collection discovery evasion persistence phishing spyware stealer trojan lumma
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233

Threat Level: Known bad

The file 94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233 was found to be: Known bad.

Malicious Activity Summary

google collection discovery evasion persistence phishing spyware stealer trojan lumma

Detect Lumma Stealer payload V4

Lumma Stealer

Detected google phishing page

Modifies Windows Defender Real-time Protection settings

Loads dropped DLL

Executes dropped EXE

Drops startup file

Windows security modification

Reads user/profile data of web browsers

Looks up external IP address via web service

Checks installed software on the system

Accesses Microsoft Outlook profiles

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Modifies system certificate store

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

outlook_office_path

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-06 09:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-06 09:36

Reported

2024-02-06 09:39

Platform

win7-20231215-en

Max time kernel

142s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233.exe"

Signatures

Detected google phishing page

phishing google

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{434A2BF1-C4D3-11EE-A297-464D43A133DD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4347CA91-C4D3-11EE-A297-464D43A133DD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{434A5301-C4D3-11EE-A297-464D43A133DD} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe
PID 2008 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe
PID 2008 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe
PID 2008 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe
PID 2008 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe
PID 2008 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe
PID 2008 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe
PID 2092 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe
PID 2092 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe
PID 2092 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe
PID 2092 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe
PID 2092 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe
PID 2092 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe
PID 2092 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe
PID 2696 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2696 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2716 wrote to memory of 2584 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2716 wrote to memory of 2584 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2716 wrote to memory of 2584 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2716 wrote to memory of 2584 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2716 wrote to memory of 2584 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2716 wrote to memory of 2584 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2716 wrote to memory of 2584 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2904 wrote to memory of 2632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2904 wrote to memory of 2632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2904 wrote to memory of 2632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2904 wrote to memory of 2632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2904 wrote to memory of 2632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2904 wrote to memory of 2632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2904 wrote to memory of 2632 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2092 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe
PID 2092 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe
PID 2092 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe
PID 2092 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe
PID 2092 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe
PID 2092 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe
PID 2092 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe
PID 3012 wrote to memory of 1148 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3012 wrote to memory of 1148 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3012 wrote to memory of 1148 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3012 wrote to memory of 1148 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3012 wrote to memory of 1148 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3012 wrote to memory of 1148 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3012 wrote to memory of 1148 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2688 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233.exe

"C:\Users\Admin\AppData\Local\Temp\94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://facebook.com/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3012 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 2464

Network

Country Destination Domain Proto
US 8.8.8.8:53 facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.youtube.com udp
GB 163.70.147.35:443 facebook.com tcp
NL 142.250.27.84:443 accounts.google.com tcp
NL 142.250.27.84:443 accounts.google.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
GB 163.70.147.35:443 facebook.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
GB 216.58.212.238:443 www.youtube.com tcp
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.147.35:443 www.facebook.com tcp
GB 163.70.147.35:443 www.facebook.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 fbcdn.net udp
GB 163.70.147.35:443 fbcdn.net tcp
GB 163.70.147.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
GB 163.70.147.35:443 fbsbx.com tcp
GB 163.70.147.35:443 fbsbx.com tcp
GB 163.70.147.35:443 fbsbx.com tcp
GB 163.70.147.35:443 fbsbx.com tcp
GB 163.70.147.35:443 fbsbx.com tcp
GB 163.70.147.35:443 fbsbx.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
GB 172.217.16.238:443 accounts.youtube.com tcp
GB 172.217.16.238:443 accounts.youtube.com tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
RU 193.233.132.62:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe

MD5 c67cb183b5faa87873c21b128122e3e6
SHA1 8e349c1201b80494ff6abf3a6aa90dfe5ab1396d
SHA256 66a632a8f16bef1017d0dc763ba5748e8d56a82665f0dc16f997d178ced2db1e
SHA512 cfd8ccda07faca5e3d52bb7daa3981d98ed461a8bae95c552c07e2daee13aade4cdd9827256417b6dfa950a0babfcec87a9e1c7b9eb25f23d2041b6601f5142f

\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe

MD5 dc38658ab97f24017631cc6fc2a947a2
SHA1 923b31dc8efb78821bcdf59b4be2305b0867884c
SHA256 c3803fc2e163a2a9736765a58cc164d93393cff511fbacde3abc589fcd658956
SHA512 66cc349d6dda34aea1bc2354f864d5ec11b014c37a614ade23521a5f690357e301ef31260a5f219542ba0ab16812d03e3695b21c5abf7ae164ba22b88245a75d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe

MD5 66a8808f228c3eb59c40ab6451b3af7c
SHA1 5dc80ecb744ae2b1dfc9dc033eb983705dedde7b
SHA256 76340ecf2ae114c63c3768ae0e78f2f5e0dde30a8a2ac5729c2ce421ea132634
SHA512 89b0ca75403eb95b32977c6b0219dd5a9feead0f35243cd546e49fbe09beee035a5f2afbdebeda74ffa452c9b5919a46d75564f40d668be23cc3bea0a2357343

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe

MD5 27b90637ffa49f03e168bf83c5b699e1
SHA1 2c39284833676cbda69bb9a5d7bca0e254382355
SHA256 36873fc19cf2d19f319cfb85cac7e0fe51e7f87f3cda28bc4ecac1878427b29b
SHA512 c1c39b66f4c4846d5d5c03d7606c643bffcfc26cf020c9f5544f8f2eaec0bb135c786bf44b6cbbfdca5d90b63354e758111eee1a4a445b43bbaae7b7093a96eb

\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe

MD5 779db1fcaa2b01c67fa62fdcf541137c
SHA1 85aa8928790bc40c8dcfac0585e87526d285905b
SHA256 0b343aceb8665dabb2f978310bc369bcac837bc19c7422d059fd485d50bb2c42
SHA512 b657c28f2159a283214b8ad103492f467e79bbd6465385bde9f15e5c3712433e7d77bf08b5637c2d4dcd7c2fa85fe4704ce0cf4096af4097861762fe10f5a00f

\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe

MD5 c1fa71b8a54910f6e6fac0ea03af9dc9
SHA1 5ce0ca8317c8ac8f2fe5205b46868f0a774e8e27
SHA256 f6c624cba32e2e5569cbdf67bfeace7eb9a4feabc64966a27136b0b982e9ab19
SHA512 a36015fd84eb4cf3925a5b4f623abf0ce4c2a74aaca63275fbaa6d5ed9b1b2b668536d747298ee0a1631e48ef25f7cf82c1965bb960cbc1b9a7b765e99f28f79

memory/2092-26-0x0000000000E60000-0x00000000012BE000-memory.dmp

memory/2688-27-0x00000000015A0000-0x00000000019FE000-memory.dmp

memory/2688-28-0x0000000001140000-0x000000000159E000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe

MD5 08cf16d49dce42a901bcb9beb05e35ff
SHA1 de3e8cd334ac81cf4aa1b8cada3d597758bebbd6
SHA256 6ad0521fb2fea5ada9493e5cbabfc6f9d4ff1ed836426171f8a8e96d363ad7f7
SHA512 3aafa8e305de251076882213c152ef18f3e291d7054b4c53160272d31edededfeb45f50dd7a7201cbeec484f83dc5b1387bd51198ab8a7f15fa27ea54f4a49b9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe

MD5 5f189b0008fdecb879ff1a650d4ee072
SHA1 557dfccfa42cfabe79b7404f09561a260936f469
SHA256 ff2723389e1fbb9738b3180f8fc649fc39282da5197b229c5adee2b0eac035cf
SHA512 69dbb1027e0cea3829c5f969893e6ed5e7a119d59b6f77ec9f3518d0bc28637c00a54890e3192ee02be3c07518a3cd8195fcd1b9a364e8b0bae63d8ea7694fab

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{4347CA91-C4D3-11EE-A297-464D43A133DD}.dat

MD5 cdf54adae40b5b906c193bd9ce2c7926
SHA1 b11ea404ee1c8e869a173742bfb322c89b2fc68e
SHA256 15c70b9e6dc7012d9eb52fd816dd790eb03f74d325c21ccd8106d9e551017011
SHA512 f285d85439416450171b33a3bf88a1485deaec75b5699ee72c04532eab2f97ada0440b09fa6f3c50e13c1d462cf0bf49384e6402741b4ed78736f04b495fd371

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{434A2BF1-C4D3-11EE-A297-464D43A133DD}.dat

MD5 162aab2ddf21272bca0be8ba92978cfd
SHA1 de0890ad7186e24ddc3b1f8a8bc7e6598d9f2ece
SHA256 9c9ac770b4dc4f5a9faf2b5d178bc68eb7a4290dd12454e406142989bedd744f
SHA512 9bc9356f90fa351949421d670658f8dfdc6583b1f103a6ad9e35e3a3327042ab3b8cbd4a73c441695c8aa35321b8e9959a3a24e38b4de83efecc2513f8f9f792

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe

MD5 b87bb5a2e3ed77cb9d7bcc945ef15767
SHA1 b2cac3bc5877f48aa1e611e347aaf75dc9c8a2c9
SHA256 c0572a69fff41be5877c893d6ae1928ddd0ccdc722afc704729a1850a60e22bc
SHA512 521f5bbf4e4cbbaae41a05f13ae9fcc99e455153c489348b017fe0a431c0c46c3eb9dfd9c4a82f3df71365f6008244d41cbf47fa7c8ce4c1c4d90864885b9edd

memory/2688-32-0x0000000001140000-0x000000000159E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3C66.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a0b63d315b1a6d763785d33e2b012991
SHA1 6d813b35f7750a138077fa4fd3fc7aeff05c89b5
SHA256 46d505297e9e4d9e7c53422ea4ef00f7428782e779bf5f8830d862c81f144c26
SHA512 6fef92b8b27348bed8b94220adc74173b1d7d1aa995d8404c32051c03fdd2fc4b946a31c60e3152ea17ec045f957d341f92e3bcd222a2662700b71aa83216d3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 559fc08f13506406be50be19ae4595a0
SHA1 13656f0813281f895b80a7a08b80087837bb0577
SHA256 0ac58edea071bb3f5bc2593462b57145c97ece7460f442ffe79a68a64b173852
SHA512 fbe07fa6a809063dd1cf3e5b0f2e2729bba6cebfa7436f7117fa1df1067a04ea7ccc4b6929ef194a361ee01f5645d751f0ce5c0701a6f821449d9b0e6a228a83

C:\Users\Admin\AppData\Local\Temp\Tar3D34.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 cb9c8d641f219658e7b21380ff76b3d4
SHA1 f24ad4b1bbb893f32b50a0a27937db799868c9ab
SHA256 c45188b8c9a8b5caa3a7954ab7088d0b81402ebf4947b2bb229e722cfadc1be8
SHA512 0bd2d9a4b6222bf8e533980898b9207dcdba5e84f74d775208a89b12f9984448fc31913277d23ccef61dec298f8e42a8439a1464ee2119ccaca103099b680cf9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 2693c7fcdbbafe258c8c75e6cfa3fec3
SHA1 94520be26025c1ebb2e0dd03599ce152c5fcfe86
SHA256 b15bc25f1e7ef33197bf488df5db7634c99197cf51a5b8dd0aead3f9be1c4ac4
SHA512 c566e6fec63ea1ffa993a04bfbdc0b2358bff3932599a5ae5d28da5a4b4b1d16f5f2542107b1148c2e83605a26b06e40ebf8b6dc0454086612074561f2e2dd0f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 de12b2b9079542a92ae043e1314e64f9
SHA1 17e3db70206e19c5edc819104ef109104456c6da
SHA256 227040ab6c3cc12aa78e953e69f4eb6348019112bf3806a576f5b646b0ec2d40
SHA512 f70b4d12430a73512b6c7f1233349837fa14026b30aa058d1591f6073e858a14f5bbeec3e7a670b16243e67e5e6c54e73ca3a3fab7f3b9e0612e4f97140f4e8c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ed1ffe2268522690ffc9c23a383bd73
SHA1 b3db65bdd1d91cb3c75889f84e8fcd82e21ef71b
SHA256 6f1c848415c8ab84c12716125f337100a81647254ceb02c3b2a82dc1731a6237
SHA512 6747152b347ca5ab8b47d2d156fd3b40db997e2880788d99d72903caa6c188cf292fe524e6fde6e3c48f8ca558d94fe5991ffadebbfe54912a35a8dd1680cee7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be588524fc6cb236e9e904c634a2aae1
SHA1 f9b0b3821d80ab89448970ed8f5c069fb7626e3f
SHA256 1b522a874dfce652c3c6ffbcfbc2e3ba428c0807d0e75d66306ac6bf90a641e8
SHA512 068d10cbae12ad761160aab57fd53d0d1911f367cea9a693bdd2f892771618f78e37cf501e9b00bd89da6e93f4804fe6e84c906fa1bb46edd53fe17451fa9e84

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 9837ff12ed838049585df5d25ca82b5a
SHA1 09f139f8fe9afede47e589dc4402e661f501c2ca
SHA256 b105508de55c15c23e66c36bc7946b2e46f4d8d93d52f428cf6e174c8b1861c6
SHA512 0ca0a8c4c76af806c8cb6d23030999b7fbe5459c587a6366bc0a33034d6817dc4e331ba49d1e8df0e58293049d902c5c02621962850537e22682e53906bdf961

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_DDCF8A1BB8132E191B1D87188F0E5FF4

MD5 85aba89c53bb7c2a4f540128473bc3b1
SHA1 493feea8df0a909b5b0e0cdc04c86b193fc76f27
SHA256 98e383259fd9f2d438b50930f12b97f0ecbfc10365e78cc24bb6154e2ca888f1
SHA512 08a64ec7a30d04da12cda38456315e19c1816f9382de4dfbc9646a2a755d7eb8c299334246b3831d63c2d668b369e1c2223ed3a570e0fb10537272b2c7402614

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_DDCF8A1BB8132E191B1D87188F0E5FF4

MD5 79a6db511b4a4a2e1556a38660a9fa6c
SHA1 ec1e7a7f15f248c964b658afc089092c3d4f3d2a
SHA256 91afe9f89f34e0738f2c8c4f4038f9f178d002ffa632d510c2ab28f360ff45f9
SHA512 13517b57f238f154baee80c0d2cf7a94795618089e252ebe53a654a94a3ee2d1168ea06236318e4a46bb1cd4d1137b1cd04367fd98c2e52025035956353717ba

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CFHPCFFP\favicon[2].ico

MD5 f2a495d85735b9a0ac65deb19c129985
SHA1 f2e22853e5da3e1017d5e1e319eeefe4f622e8c8
SHA256 8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d
SHA512 6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\d151rer\imagestore.dat

MD5 f5b59702967588cdf3211799327e5e25
SHA1 2507281fe171c71dd12c1e97fd98d5e7484560cd
SHA256 ea58be8dcc555c349e7351f9f6404290caece81505fb7cc54191e2348c3ba0ce
SHA512 ee37ee4f0f962e460be3cf06413679c84f651421639f7c009931b0a0503219dbca2425d15cd0444d4372ae0733fd04bd6fa347a66400bcf2f16b385c53c57b66

memory/1764-284-0x000000006CDF0000-0x000000006D39B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\T4KN0ANV.txt

MD5 c884ea60ace62e347f1fa7673c1b3b01
SHA1 6771a77d17c228ea568d4997878da28acb6c1881
SHA256 df8fa4af33e778fa230547f832ac8bcd8238f8e459680bde14d1f5ddd608a6b6
SHA512 20fb5bcb4474ef500377b31201d58b4766744bd2798b250c6c1421b778d3bc30cf5efc501051f818e1ea66f8a8f37fd3ccecccdf193468ea2bb21d7bb03e9426

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_D50E9269859FFB5A738F673D82E63752

MD5 7d10d6a2d05142b2f7de42728ab93a9d
SHA1 dd26f063d2bf4688cd996ea46ec9c79f9702483a
SHA256 a06c2f6ee0ae9af14551ac19e95835bf20b775d835b558529eb5979d474f0919
SHA512 74738a2f5fea62431113b09022d031000ee1ee3fd15d0c02dcce313c1f67d7c9176d13a715653d1fd23ed10c8c8fbdeccfe09bdd17511e3f92e218ba151e9139

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_D50E9269859FFB5A738F673D82E63752

MD5 bbc8440884a95956838c1f1a33fc676f
SHA1 231180c12d58a50d6a96d59fc1e1d215afd3cdac
SHA256 d7858d742e24f282f249e82ddcce500406dab87a8d56736ec3f8f82a6783c7a1
SHA512 ca9057d787bcd0ccd25b7675a7eee459117de680b595a9fcb590b665a8ceacc8cc76fd00effb1c7ebe5830076a01baa6b841637f170e7aa949832c0d263ccc74

memory/1764-386-0x0000000002700000-0x0000000002740000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L6MCRSFJ\hLRJ1GG_y0J[1].ico

MD5 8cddca427dae9b925e73432f8733e05a
SHA1 1999a6f624a25cfd938eef6492d34fdc4f55dedc
SHA256 89676a3fb8639d6531c525e5800ff4cc44d06d27ff5607922d27e390eb5b6e62
SHA512 20fbee2886995c253e762f2bb814ad16890b0989deab4d92394363ef0060b96a634d87c380c7ba1b787a8ab312be968fed9329a729b4e0d64235a09e397db740

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\d151rer\imagestore.dat

MD5 49f02dd5615e6d1e9539e7f0aa83c17e
SHA1 e504173da61f6fc89e56eee64946b1799df6a4e2
SHA256 81e842d81c907de3bc469af1bccea28e9149057964c85fc2ac47f8fd197b809a
SHA512 aafae9e23b797578395164e91ae400e95f73f122f2bc5f07cb5c8af45bd901fbe836071b80f852a1c537cb4d0940086399441c0f81347003923e5d242076a903

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CFHPCFFP\favicon[3].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\d151rer\imagestore.dat

MD5 4a481c83816ebf2a3382cbb1e314b21c
SHA1 2ce62af320a3734bd33b4fb87ea208f3bac52884
SHA256 e61fb1287dd166fb0bb82474e37dbc0de4788d1c82a91f1dbd50c769c15ccbef
SHA512 48324773cd0a45647c1a1ece5e64ddd4aaf0cfa21111d49ab9f45024dd93d7bc3a7a1976873a13bb164666b09dfa0af97d7c455dc39c5a1a687889f67001dbbe

memory/1764-430-0x000000006CDF0000-0x000000006D39B000-memory.dmp

C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe

MD5 5029a0767b3bb36cd7105e83778330ea
SHA1 83d56d1f28cf29b87e26917bf17b70edeef7724a
SHA256 d7dd9ecebcbb7f231089d5f387682120d46a895b652f5a9c6ee663b1922fa8b4
SHA512 c2872608b20a7b53414573c30317f1c0bca3ab4e69dd47b21900b63e7b2691c65278d03504314ff4043a33eed5bfe36cff8be13b771a5115bb6aac1691e837ed

memory/2688-438-0x00000000005B0000-0x00000000005C0000-memory.dmp

\Users\Admin\AppData\Local\Temp\tempAVSKNzzsyCN8oJm\sqlite3.dll

MD5 0fe0a178f711b623a8897e4b0bb040d1
SHA1 01ea412aeab3d331f825d93d7ee1f5fa6d3c46e6
SHA256 0c7cd52abdb6eb3e556d81caac398a127495e4a251ef600e6505a81385a1982d
SHA512 6c53c489c4464b9dc9a5dd31c48bb4afa65f7d6df9cc71e705cea2074ebd5e249cad4894eac6f6b308b3574633bc6e1706dfc5fda5f46c27f1e37d21e65fbc54

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f784df836782bc62194c0351144a821c
SHA1 75465281fec4a22ff9ddbdc894251976c9f5c8b1
SHA256 cfe077de64e3506b78480ef49b383d01ea1b4b57450b8aca967ec5a77c94b5d8
SHA512 2b1f3d3f0325aefd6f80c8beb2ca9177883003136997d6d145027c3c3c75ce39857f45c1b7e6df96a68a5e4dacd9c380f91280499c18af6f9c51da6235ad5e3f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bdaa9b3aaa1070158181e0861b68060b
SHA1 a6728ce5b105c07f4a7965d002f5fde0f34abdb7
SHA256 88d4d22e177c19422075c0ebd82fe574ddbeaf3511deaf3d2124e7e27ce8f2d3
SHA512 45a7ab36ba9aa5a8b179722131a6ba420f16bf60297ba68cdcf5883cec0e6c89f8404b1128672a435ab54ec268cec0a5d4c6f94853af89e99eeb2e882adc1b87

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05fee160fe93294f93f793c183eb15a4
SHA1 f799bf49ff31d00f3a9fdb0c5e05105895112ee7
SHA256 8b84afecab06be1f7c8145f2dd630582939a7c71287887fd9e1e5fc033bac855
SHA512 3227d82893b00a8d7371447eaa353a6b801009eff70c77e6b10c0395982fdf2088c640b62a6a78b851c9ee3ad9b1fc411e48677befa322ffd8dd2d677aa9f947

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1da814f18cc6e23eb2ab596d1dae6bd
SHA1 56647630adf9e16c1e0d2099a8bfffa6ee317510
SHA256 28d719c3227470e9cc838fed8b6c774f51a7b6396bdc8918afa690247c776ef4
SHA512 ae99bcc71200f0fdad947762e776f076500311190450d2236a0cdd760025842df96d36f33ee591a98b6bf07ae2b809c931d2c86967ea30d230af4e5a31909b99

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c93815a3e88a9b717753fe64cd5e3cf1
SHA1 cfb5c003973d6226f0b87fc89adbfba5622a4124
SHA256 ec33c6b61e99f9804446026e68f6c0ae2046b3b3842ef8d5bd3535e4179f0a34
SHA512 c2a625b1d7eb29c6fcdb2c3a354c5d82e4b5e60f5a280b7a5f3ee19a2b597ddde9cd2158a2b2b79f48045af93a6cd238c94d11ee6f0861198232f63566b96267

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0a4fb27204d39c3a226d7fb69d2c7714
SHA1 d697fc3971bd36cc2da0d0256abcf735f81454e3
SHA256 9a31a7bbbe9c0c13a6179410373a03b8a52d1f3a07e7c804095f6f9c0a38a9ff
SHA512 657f2bc319d63b53b8d8c6af3000c6c8b7f9fe36d15328cd5e15394e98b96094d097350da50f2e0b6c45de5384969eb73c8609d6665a2e2eb9af5e3052fe6afc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e2bf37b8b84a6bafaf8dbaeb55808feb
SHA1 22b9cb9225f6292d77207b5792b077e0a957f43e
SHA256 4268989d61ef3183c10f460fb77e517c5b729d661c64f4f68e00fb1b24e606ba
SHA512 8210c8229abdc9650a717b0d82bba6b3ff29b9e40b6bdf8c81db865463e733c46bafd83f231263a8f604178dc4d020f3d1c49628953f8c3652b61adbf49790ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 06581116925fb31f23efdde1e59708cb
SHA1 4df491e9ab439a6064128088a9b9d4a9e04ea631
SHA256 07e8afca6d647e02a4d02ce87f4afe56e006e3d94cd026baddb0ebf3881156e9
SHA512 153c9b91753b9b92e56889c34b7763adacc7185e716ed19ae36c3e16135f368c9c433d7bffd7ab05b9505480e7b5da6d451e0c43b213a91893d49b83253454e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d31ec7e415ad5a04923f5781ade358de
SHA1 df8aba9bf366ace519f664039b73ac03927b209d
SHA256 acc0e3057f90b9cc80a78d64c348625a4368a96c840f73eac742e7c67a9aca77
SHA512 7512a31d06e5b504eb367a386cad18745959d2d29e257e2ba27a2910f36bcc0735f126d43b412ebd5b588c6898e51075c1edc82589637d2877ef155082ba2cfb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7c4d4bd909de45934c8527fa0fe002c7
SHA1 327307be8a950026000d24ba066ee966688f3d28
SHA256 5c2502f186cb8e35259644948e049c61b7af8f3a9b8244d184e5d0f4ea7e22c2
SHA512 268c6d3d809af2e74072b8553ee3977a012fe36c71430e828d5200361ba2c4f83670d0e55ac1a72e290f12db558fdb7b3809bd44c6b0a95426febd6dc4adf5ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04b2e7e1292ddbf7e99d8460d3005dab
SHA1 f5080567a1da01c3472a2be7944710d64b5212a8
SHA256 6426cce91f322c4559c6e2c189354b17cdb0690554254962759c150b3b3a5465
SHA512 24a9fe7f05f779620c9b25bfed1c81b894f3998b0e082323219b15d606ef50f448604ea381e6a502e567245e9c5e96860ccd99621e81c05e3ebbe0ec7ff933a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a3aea4aac8b0461412b553687902703
SHA1 c8009105d560d5cc532d340753d2efb47a9e6aff
SHA256 58314cc7ac61887b70f8a42310055a34e28612f3d0f59eb051fb6babcfc81c11
SHA512 6cef44893d0b9904f2e525030993736e4bb9ff7a3f19dfcc62bfcd8d4116f59a2c7a6206acc3b625533b89aed837bcbd3f63414165cc9c013f94dc1e6513fbac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7bd92eedb6e36be0512f475dd746da68
SHA1 3540301943ba71023d2c4f00890a129bb2148d9b
SHA256 c66ebf82bd0aa926c698bc0f5c8de22847ed5337c9cda8ffad8700a6020f5a2c
SHA512 cb9750baea1b31182ab62051b9621494cef2b325f52ac473f4b0ac55f0bce3b58e9d0d9def0b0efd02ef246632d56a75e42f0c0ce8a5762e897a127200192e08

C:\Users\Admin\AppData\Local\Temp\tempAVSKNzzsyCN8oJm\mI8NuEjQLZVrWeb Data

MD5 1f41b636612a51a6b6a30216ebdd03d8
SHA1 cea0aba5d98bed1a238006a598214637e1837f3b
SHA256 34e9cb63f4457035e2112ba72a9ea952b990947c9dc8fb7303f4d25735f2c81c
SHA512 05377e24e0077208a09550b7a35a14c3f96d14013aadee71f377450cb3a13ea70a2b85f6af201e1c9502fc1c33e243b1de09de60313fb5be61bc12f6efe57ca8

memory/2688-1068-0x0000000001140000-0x000000000159E000-memory.dmp

memory/2688-1081-0x0000000001140000-0x000000000159E000-memory.dmp

memory/2688-1082-0x00000000015A0000-0x00000000019FE000-memory.dmp

memory/2688-1084-0x00000000005B0000-0x00000000005C0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d93275f39e2e96153a21ef60da8a2b1
SHA1 db57350f535ed27bb3a71a4d793c31c0c96d277a
SHA256 2ba07e48665f8fc62360ac240ae0134006ef98cdd233c20e7ca677734fb0bbd3
SHA512 81b6dfab069763be9f5aba82d2a118fb276b6fc184f2f85e20cee18900dfe0698fd755f85bd0fc8c593e4b4060752f535fac1634cb17a1d3ecd74423f3c262c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6297cb9bb02b4414c3751a5ce0f878f
SHA1 77777201fd90de45e56b02ca60deb7962eb06eb6
SHA256 46cc00bf66d4f4bfb411124f25dacee057cd7562bd7b4ddb6a61758d917cf0d8
SHA512 0f603d4e6a74d479b21a2235b4e42bee45e3055bf2c61da5d54626c82230a92f519c63a5bcfcce3d1c7698c6aaafcbecaf86ff50980030cf3f3b93bf4a0e2fce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 2a072467033eabfe3c79c3c321e757f2
SHA1 994a88387e246f01f89e5c0b09422fcc95b7a422
SHA256 976ffbbbe1ffb151852e04026b845de06177743f1d7c80dcea5b40850cfcf491
SHA512 a2a7c8121adac6c6385f9a169b4e000a8ffc04e6863f11be18689dd12cef7a9f80e81b27b6662ff38973d1a50bdc6f65512b451cdd9542c587756dca22c99e4c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 820b6619667f439228ced209d2b96882
SHA1 49a3bee8e0e7b7f73b6259eacf7ddc4f02057ba8
SHA256 702971a4e99886510fe10109f02aeba0f1b1f8eb7f68f729bd217b658b3e4b9a
SHA512 9012c4c59ff708006c80f74076e1bbcb6c96ec854243dda9efaa518fc84b0e2df123826674332a1e7e0d7350c17b188feddebb5162130f00fda95968c2d9d706

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6f585668aba16ed01f8a6f7656f1fc6
SHA1 f54def9a8589f96b7b996fd0960f228baef790b8
SHA256 25225468423ff72b86641856bc3e233fe7086bece7bf374858cd6807e86220c7
SHA512 be11572e1e037411a3586ef094ccdd5d33e29ba06beab544f2f7626fb321cbd5b1bd6c38c3b02214cdc544cb2d742979812f07a66de2dd9bd0a803257c690f2f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 002bfd91b2eceac1356ef4e69cb2515f
SHA1 e7715c53bacca9764a19eecdfb13a64ef8171a20
SHA256 481a943304d85b85d7030c44685d628117c54c136e4e16758bbc2c80a56d3300
SHA512 a8e66dd313eb61afa30dbfb769f92c3a387f15c295555181850ae181e10852a094ea499432c33fda7c4baa97fea99240ff098ab44f1c34ba70885b151bc21fc4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97270b9a9c0b153493c1983157e04dcc
SHA1 238ba85ff00715f3b9274c3a5f43a68c1a5606dd
SHA256 10d9e45218743d58406bc0f087132ce4e9cdde68cf69b32edbb6ed45fa310c58
SHA512 8405f5414a55a8584dd0f39e3b6b28c7b56a1950f29cfcf53f3393c93e2c603f153f528c8dfdb8436f64007ded4712904733682a6bf0a971b3bfedcd3741bca0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 561813d8fee40dc19b565568ff3c697d
SHA1 3c5cfa94c855161a04553de9e69de89f6181690b
SHA256 6dbfdeaeb059ee4b2b438ec3b2e6d814b4d9de40fe6fdb8d9e3ae1fa10060e41
SHA512 68b8a363cfd8f0593217056724c3635911ccdd0a288c9b38ce9ff20103d1c7140f45de8de812a3a27733955d3299a8e29be8dbaafdf4de0a2c9069d484f57b24

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 8c41317ddfe7a6e64f79ee7c39fcff38
SHA1 334acf27de67f29369b50e6fa3daa6c2093f3d74
SHA256 6ccae377793d212b89afb898004bc4a92d9fc69f399557e2d612473aa05ffef1
SHA512 741cc29ab30d99e508093db8dd2d0d4e7c14faa5e45cf06f14f63a48cd123bcbedf7ce8f53e2870620dc6ec282c0c3fdc3a3c3f78ebe64efe2040eb7e0e9c744

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 91355b54ffc8a787bdc2dce899ee8e51
SHA1 004bab2bc5d512fc6b092fbaaac19f93d090a503
SHA256 765093f0f6ef3310a8186ad932bcb8332e72ec2cecd01799c8b81a4245f6f1f4
SHA512 1f8ca3b9b884beba4d45fd5f550f99d93e3cc45c162c1c0373401d7e54d60f4957128f2fcf027b236f7580b17e4b39a5a421b0cb8c31ab9a094a255f9e47543e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 53583bfd4d17e15787d8dce87030e81c
SHA1 697ed16349ca8846322a476a135a455bb1d1edd4
SHA256 677a666be35642e7f85b5e6ab004d038ecc96da97ace3096b10eff66f68d31ea
SHA512 c420b0d8413e8f5f70f0545238d219786f16a42a368051c49cdfc945220ae258c67c8037b0b27f595d4e97a5e7a91b9a9979877f97b6442814e6d38f85161ca1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3803b8d92afa4c6a973f28b0cf524f01
SHA1 a97a13cfb592f6cd8869b483454f9d6237165326
SHA256 4d2cca3d2e86258806e41e86e0d99c544b55e5a7a1777aea235b821b02c9195a
SHA512 152c3dfc9b0aa9f996a3a3111a055c3138e020067e88526448f7eabbd000861a169b6346ac53154de307d17b02f751f3f80094077e60c908786526914c6fdb38

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-06 09:36

Reported

2024-02-06 09:39

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233.exe"

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4852 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe
PID 4852 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe
PID 4852 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe
PID 4876 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe
PID 4876 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe
PID 4876 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe
PID 1848 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1848 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1848 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1848 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1848 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1848 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4876 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe
PID 4876 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe
PID 4876 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe
PID 2304 wrote to memory of 2220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2304 wrote to memory of 2220 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 3428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 3428 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4568 wrote to memory of 4860 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4568 wrote to memory of 4860 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2304 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2304 wrote to memory of 4028 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 4036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1512 wrote to memory of 3236 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233.exe

"C:\Users\Admin\AppData\Local\Temp\94627d8117da7cccd8c34a1d8ad88d988a26ec6337d0d66559ee6943f2c2a233.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x100,0x170,0x7ffb69b246f8,0x7ffb69b24708,0x7ffb69b24718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffb69b246f8,0x7ffb69b24708,0x7ffb69b24718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffb69b246f8,0x7ffb69b24708,0x7ffb69b24718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,2300323769885504132,6952828148470343543,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,12570695859624056937,18141450656685451231,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,2300323769885504132,6952828148470343543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,2300323769885504132,6952828148470343543,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,12570695859624056937,18141450656685451231,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,4762672433130441146,3440371064840751098,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,4762672433130441146,3440371064840751098,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,2300323769885504132,6952828148470343543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,2300323769885504132,6952828148470343543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,2300323769885504132,6952828148470343543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,2300323769885504132,6952828148470343543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,2300323769885504132,6952828148470343543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell" Get-MpPreference -verbose

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,2300323769885504132,6952828148470343543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,2300323769885504132,6952828148470343543,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,2300323769885504132,6952828148470343543,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,2300323769885504132,6952828148470343543,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,2300323769885504132,6952828148470343543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6520 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,2300323769885504132,6952828148470343543,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6520 /prefetch:8

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2232,2300323769885504132,6952828148470343543,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5464 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5104 -ip 5104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 3040

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6BN2It1.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6BN2It1.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4960 -ip 4960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1028

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,2300323769885504132,6952828148470343543,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3932 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 facebook.com udp
GB 172.217.169.78:443 www.youtube.com tcp
GB 172.217.169.78:443 www.youtube.com tcp
US 8.8.8.8:53 accounts.google.com udp
GB 163.70.147.35:443 facebook.com tcp
GB 163.70.147.35:443 facebook.com tcp
NL 142.250.27.84:443 accounts.google.com tcp
NL 142.250.27.84:443 accounts.google.com tcp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
NL 142.250.27.84:443 accounts.google.com udp
US 8.8.8.8:53 www.facebook.com udp
GB 157.240.214.35:443 www.facebook.com tcp
US 8.8.8.8:53 35.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 35.214.240.157.in-addr.arpa udp
US 8.8.8.8:53 84.27.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 172.217.169.78:443 www.youtube.com udp
US 8.8.8.8:53 i.ytimg.com udp
GB 142.250.187.246:443 i.ytimg.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 246.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 23.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 10.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 216.58.201.110:443 play.google.com tcp
GB 216.58.201.110:443 play.google.com udp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
GB 157.240.214.35:443 www.facebook.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
RU 193.233.132.62:50500 tcp
US 8.8.8.8:53 fbcdn.net udp
GB 163.70.147.35:443 fbcdn.net tcp
US 8.8.8.8:53 62.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 soupinterestoe.fun udp
US 8.8.8.8:53 dayfarrichjwclik.fun udp
US 8.8.8.8:53 neighborhoodfeelsa.fun udp
US 8.8.8.8:53 diagramfiremonkeyowwa.fun udp
US 8.8.8.8:53 ratefacilityframw.fun udp
US 8.8.8.8:53 reviveincapablewew.pw udp
US 8.8.8.8:53 cakecoldsplurgrewe.pw udp
US 8.8.8.8:53 opposesicknessopw.pw udp
US 8.8.8.8:53 politefrightenpowoa.pw udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.27.84:443 accounts.google.com udp
US 8.8.8.8:53 youtube.com udp
GB 142.250.187.238:443 youtube.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
GB 142.250.187.202:443 jnn-pa.googleapis.com tcp
GB 142.250.187.202:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
GB 172.217.169.78:443 www.youtube.com udp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp
GB 216.58.201.110:443 play.google.com udp
GB 216.58.201.110:443 play.google.com udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\IQ4uA69.exe

MD5 67100e5762fa443510a6888de508ee90
SHA1 2cc60c3e6ca35c48561b4409fb1f780c9902954a
SHA256 b3caa6ebdc7bdf74ce503115575e45b50d5a88468cc8eaff0ef0acd3136c8f73
SHA512 8015a71fa002cb01fde78902a67c798cf764aa81ddc9ec98ac8e67f5fff44dedc008bebb163bc10fe4b9a744b5c8f3927e984e1cfff4db349fb02d805fd60215

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\2BI8713.exe

MD5 779db1fcaa2b01c67fa62fdcf541137c
SHA1 85aa8928790bc40c8dcfac0585e87526d285905b
SHA256 0b343aceb8665dabb2f978310bc369bcac837bc19c7422d059fd485d50bb2c42
SHA512 b657c28f2159a283214b8ad103492f467e79bbd6465385bde9f15e5c3712433e7d77bf08b5637c2d4dcd7c2fa85fe4704ce0cf4096af4097861762fe10f5a00f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5zg3Oh1.exe

MD5 5029a0767b3bb36cd7105e83778330ea
SHA1 83d56d1f28cf29b87e26917bf17b70edeef7724a
SHA256 d7dd9ecebcbb7f231089d5f387682120d46a895b652f5a9c6ee663b1922fa8b4
SHA512 c2872608b20a7b53414573c30317f1c0bca3ab4e69dd47b21900b63e7b2691c65278d03504314ff4043a33eed5bfe36cff8be13b771a5115bb6aac1691e837ed

memory/5104-17-0x00000000007A0000-0x0000000000BFE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b810b01c5f47e2b44bbdd46d6b9571de
SHA1 8e3d866cf56193ca92a9b74d1c0e4520b5a74fdc
SHA256 d1100cf9e4db12cc60cce6e0e2e3d9697e762c219f6068eb55a1390777bf4b45
SHA512 6bbf900b2f7614dd17aa6d5febe3ad1100851e2309ba2cd5219c5aa5af7bf830eec2cc88071d37987aa7e3f527b8df5b2d85e8b21b18fcb071baaab1a2eadae2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 efc9c7501d0a6db520763baad1e05ce8
SHA1 60b5e190124b54ff7234bb2e36071d9c8db8545f
SHA256 7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a
SHA512 bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

\??\pipe\LOCAL\crashpad_1512_JABBXOTWONIWHUQS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 71afb203c8bc39c477016e22040e2c76
SHA1 f12022aa913b6ba236d8520fe2b1cdc964512364
SHA256 da429783ce2dda3a0d82254bb5b279606aaa1e87f2e3d4cfcd92cd56e56a0582
SHA512 8459fe1f4fdeb4a24b86ccd8f48029d9a4c54a7e23972850ee7da54a2512ba81d840953d273cb2ca57a5996f65c51269d8021ae2e220b84965955960fc2c914c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3859b4788ac99c99f437d5f23e3bf11f
SHA1 079b6f40b103cbbe8ee36472f956e979acf7b459
SHA256 317193e168fec9963deb821bda234ec2beb74c33954ed13a298d8acbc20efd37
SHA512 b85a1ac330eb92b982c0025de8bf8e84446d271908e850701c0fd4d4f1523e5abbfe36c1beb37a5c3c5b07e8fe7773dcbf48926fc4ef89e1f21d63f1e147523e

memory/5104-89-0x00000000007A0000-0x0000000000BFE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 360db063d6fd4a542fe21dc00779e20a
SHA1 76261ca6955164acee82918378a3d7264a2b2cee
SHA256 33ea5e8f9a48e48a9ac19c37edbdf39c3c967e9e19aa2304afc7a6a74aa6f645
SHA512 d332cb2b5555304ead318e4ee21d0b02e9f4cb13ba5a2fe22f2e52cac66981f73282a5bfc6f6bd55c015ad9515aeb203a0e2e6b9945796b38cfa947e9a2bf603

memory/5104-113-0x00000000089C0000-0x0000000008A36000-memory.dmp

memory/2992-128-0x00000000029C0000-0x00000000029F6000-memory.dmp

memory/2992-129-0x0000000073FE0000-0x0000000074790000-memory.dmp

memory/2992-130-0x0000000002A60000-0x0000000002A70000-memory.dmp

memory/2992-131-0x0000000002A60000-0x0000000002A70000-memory.dmp

memory/2992-135-0x0000000005480000-0x0000000005AA8000-memory.dmp

memory/2992-152-0x0000000005300000-0x0000000005322000-memory.dmp

memory/2992-153-0x0000000005B20000-0x0000000005B86000-memory.dmp

memory/2992-154-0x0000000005C40000-0x0000000005CA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ygxqudpj.kl2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 065bd1622eeba214a8c1af7978bcca0c
SHA1 3274fc2d8230b8f31d09f8705ce959e1cf2fc227
SHA256 6622d96657ab1d18eb1b81072775f4f99a4411ce4ba2dbfeb2bfc66ea2be69ea
SHA512 5f12bdca694e5b06bd4caa60577aea0d227722c2e743b085fa1fd155efb412e3542ef71347e210b3113fcdb36169f465e53e1bf9e57730d871e8d09953082f73

memory/2992-170-0x0000000005CB0000-0x0000000006004000-memory.dmp

memory/2992-173-0x00000000062C0000-0x00000000062DE000-memory.dmp

memory/2992-178-0x0000000006300000-0x000000000634C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

memory/5104-185-0x00000000007A0000-0x0000000000BFE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1853387cb8943910ed0b14f53b44a952
SHA1 70e97683eb1d067b53c78ef7c9312326edb89129
SHA256 9019d43839db57e3d8b4973b23e1b8fb8cf065b8fa2e409084dd0fb3a596fee5
SHA512 c8029108fbeaa1b174f2d09ffd38fbc3603538dae7932a74a145f3c65a76a332e5cb83b245b99d427425a7fdfb7de747df3bca57b3b3d34313adf005732ec14e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 121510c1483c9de9fdb590c20526ec0a
SHA1 96443a812fe4d3c522cfdbc9c95155e11939f4e2
SHA256 cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c
SHA512 b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

memory/2992-204-0x0000000002A60000-0x0000000002A70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/2992-215-0x000000007F810000-0x000000007F820000-memory.dmp

memory/2992-216-0x0000000007280000-0x00000000072B2000-memory.dmp

memory/2992-217-0x0000000070670000-0x00000000706BC000-memory.dmp

memory/2992-227-0x0000000006860000-0x000000000687E000-memory.dmp

memory/2992-228-0x00000000072C0000-0x0000000007363000-memory.dmp

memory/2992-231-0x0000000007C10000-0x000000000828A000-memory.dmp

memory/2992-232-0x00000000075D0000-0x00000000075EA000-memory.dmp

memory/2992-233-0x0000000007640000-0x000000000764A000-memory.dmp

memory/2992-234-0x0000000007850000-0x00000000078E6000-memory.dmp

memory/2992-235-0x00000000077F0000-0x0000000007801000-memory.dmp

memory/5104-236-0x00000000007A0000-0x0000000000BFE000-memory.dmp

memory/2992-239-0x0000000007820000-0x000000000782E000-memory.dmp

memory/2992-244-0x0000000007830000-0x0000000007844000-memory.dmp

memory/2992-249-0x0000000007920000-0x000000000793A000-memory.dmp

memory/2992-250-0x0000000007910000-0x0000000007918000-memory.dmp

memory/2992-255-0x0000000073FE0000-0x0000000074790000-memory.dmp

memory/5104-283-0x00000000007A0000-0x0000000000BFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tempAVS9NxFFmPzsDnE\sqlite3.dll

MD5 0fe0a178f711b623a8897e4b0bb040d1
SHA1 01ea412aeab3d331f825d93d7ee1f5fa6d3c46e6
SHA256 0c7cd52abdb6eb3e556d81caac398a127495e4a251ef600e6505a81385a1982d
SHA512 6c53c489c4464b9dc9a5dd31c48bb4afa65f7d6df9cc71e705cea2074ebd5e249cad4894eac6f6b308b3574633bc6e1706dfc5fda5f46c27f1e37d21e65fbc54

memory/5104-304-0x000000000A140000-0x000000000A15E000-memory.dmp

memory/5104-307-0x000000000A930000-0x000000000AC84000-memory.dmp

memory/5104-308-0x00000000007A0000-0x0000000000BFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tempAVS9NxFFmPzsDnE\OCAorIPNrPZlWeb Data

MD5 ec564f686dd52169ab5b8535e03bb579
SHA1 08563d6c547475d11edae5fd437f76007889275a
SHA256 43c07a345be732ff337e3826d82f5e220b9474b00242e335c0abb9e3fcc03433
SHA512 aa9e3cb1ae365fd5a20439bca6f7c79331a08d2f7660a36c5b8b4f57a0e51c2392b8e00f3d58af479134531dc0e6b4294210b3633f64723abd7f4bc4db013df9

C:\Users\Admin\AppData\Local\Temp\tempAVS9NxFFmPzsDnE\8mHALaahkOKvWeb Data

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

MD5 56c5b7dfd01fa7e000f751baba2c4894
SHA1 65237440b08e0288d006e6f9a89ee92151c8b06f
SHA256 fe3d4efbb5f83d6069946d0468e47189f70a704c13886423e8f57be2a309030b
SHA512 6b2a52b309d6746fd6d44011bcdee375bb8e0e810149c8fefd02c669d537723763c069575be61c8f6bc57f8cd81e563cac2c8309e4217321fd4f7f26ac9bcdd7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b353d1649158fe5358f4ef2ee670dcaa
SHA1 29c81c1c10e2d15a5b966d2139472797ddd6153a
SHA256 8926636ee762380b3f85a09ae52fabf9c6b7ce277251c544093774c5b2a8a350
SHA512 0d2dc655392c7d7eac090a55ea8c860f5e5020bb773fd3f9f2b5978b9a7d82b8d859bf6d9ea405072aa1ce2883a6f8902a131a473c9eb8332d70050a34f115fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 6ef82ede8b35a0cd1bb32be2bfab9f34
SHA1 ad909d1c34d75e05cc78a82405b914fd0ea02378
SHA256 c9757c3f8d187171bfbb1b8d71d1b80db116a49e3264eb9ba7f50e294b94ebad
SHA512 3dc7148d01c59d5800ec33647c7530bddff8bac1f4b7bb7243b05c34fc6e398ca890ea39490b65149fbff6f1f6265c475fa306ff12d68d8e6d9babf0a99f0fff

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588a59.TMP

MD5 dae855042fa00687f25ad37351081e94
SHA1 da38c3f9b569edc1bbf8f3d3bb548af3c25cd494
SHA256 ef10a1064a61d49fc6984365a477266a315fff03811eeb2824b1d66d73846bd3
SHA512 3710d217ef640b109dd11fd15c2cf7fb8ff84d88c40debb33344147cd40aff15a4736843d06b739c98bcf348311de61eac72dc05d0d6a54ecdd4ae4d68ae4c16

memory/5104-430-0x00000000007A0000-0x0000000000BFE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 1c31e2aced5c37f52a9ebc827af375d9
SHA1 809cb7ad014eebbea8897d81e62d753ad253f122
SHA256 d0c7472f17347886d726864170ab536ad4d0d47e45153a82a1095c2479f5aa65
SHA512 f8e38ef68c4c4a36f5c2145a8467ba2dda0642aa57e48c33a77e8c4813721c6e45b31f6daa3b195df421ddff04aa863198d23ede4f61b1e18fe2effc643ba840

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 43240c95a11b0977d4e9c3209ec026dc
SHA1 c7dc8520ef63edab5501f598e7aef7a3870290c2
SHA256 cf754d9804d08e388cf9056cd5977b86869659780641287e960af904143c43e3
SHA512 c63ef0c68dfd1de35dd1accb3094fa531b67df7e54fd1377d361330711ba2feedd615c029992169d8f9c8acbe7427d1b0ab5ce110f3c336c0e02dd545de68160

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 ec6ccb99a32f38a14fe1ffab38f0b6fe
SHA1 a54414dd8a62a226636a389ffb787ac0815c2db2
SHA256 1bac606cce8968a3537bc94790008ebce7fad0e77d886bbf2443fa04bdb98e9a
SHA512 534800165d82420794d6753dad85059af60ee3577978f760ff740b5cd37851076c37114cab8eb6e16261e76d07f4334f89e3f60995b1856ea4d373eeff522e35

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d23c96cd3845a83ea32d9d7b36007650
SHA1 67b22d1d23f88744d00631e982d392d41c0060a0
SHA256 5910daed53592f012a5b2ca19b122bacd26c391b555a3cfd410a63b499cc1c4e
SHA512 5b05770bb1495d57994e6c9d6718b967d2e43a028c98dfe32041f8a06f2d8157c0872da1c8110da6e686bfc3db2d2f8677476f1755521b42d60de58966d50dce

memory/5104-465-0x00000000007A0000-0x0000000000BFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6BN2It1.exe

MD5 700a9938d0fcff91df12cbefe7435c88
SHA1 f1f661f00b19007a5355a982677761e5cf14a2c4
SHA256 946583a0803167de24c7c0d768fe49546108e43500a1c2c838e7e0560addc818
SHA512 7fa6b52d10bcfc56ac4a43eda11ae107347ba302cc5a29c446b2d4a3f93425db486ed24a496a8acd87d98d9cfb8cad6505eb0d8d5d509bc323427b6931c8fff8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/4960-482-0x0000000000BB0000-0x0000000000CB0000-memory.dmp

memory/4960-483-0x0000000000DB0000-0x0000000000E2C000-memory.dmp

memory/4960-488-0x0000000000400000-0x0000000000892000-memory.dmp

memory/4960-489-0x0000000000400000-0x0000000000892000-memory.dmp

memory/4960-490-0x0000000000DB0000-0x0000000000E2C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 e00e942708b45e34aa45c394cc4fea48
SHA1 1b22f041af53b5ea5d510eb5c1693d1a1c8a535d
SHA256 f36738757421adea128038602a3b9249361b5f872af486078551c006b5f84588
SHA512 674c8d29a05f1e9efe1c2a895b368ef4921bad441d55b1c09c53786a82ef04a62dd9cf01af239626ef4dc1dcb4d1443b7e1b2300fd83c531665dcb03a24f0ce8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 3da97816329170211aa89feba4cccd51
SHA1 6fa4512714035830d18857308b3ef9accc0a9c35
SHA256 15568f7d33da8223e582d673655051661f725b4b727f93bd276c97a3dd0816fa
SHA512 abe9972257c14f7e8c36b90eade11dac5caa00516d6a2f617ad6c462dc1160133e972ab4e9cd60fdb8c00f4c10cf623f386471ec4a3e63bba991d86f7a43513e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 4fff1a707491422c0e35dd5d04b26132
SHA1 422eb99931dd98dc9979df5bff0db237a0e0e08b
SHA256 790a0df89f8d9b0fcdf04e89616bf2dbd10f25bd71ddd1a789665a42bf07928b
SHA512 e112ba6762b6b429e2104defddd7545e230cb4bace4981764f79cb593cf9ce5b61fe96214f831495c0aa91288a3d4daf356fdd428a2dd3056719722474a7f4b6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe591459.TMP

MD5 abd9de02524bb0150c83e35d45c750b3
SHA1 caec94e4a7363e22cc954532dc31645bf46a8045
SHA256 643eb81d97bcb99a99af6a6d0def4658acc8cf30cdb61bc6e7679711fc6631e6
SHA512 02c5f9a7c3924d0e217a78faf38b87e4f5fb20fcc4105d5a4d5a0fbd2f735989044b48a85de34e37f817fd11c5c1d7d967f83dcbfddbff94b245546f48e6f13c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6283cc9e13992efd43c6c9812357d62e
SHA1 8168553d6e31449b04cc59a4775a74771519fcc9
SHA256 d38424fbb700ed1e3297ceac43adc98ee00bb02299a096c1c7eb0f7ca2233640
SHA512 221ed9671f4dcebc1d314d6d4caddb9f3dc31b80336e2119a0b7c7e6f1eb2c6bf079889fefd1146ca70a165921dfb16f4414abf32b221fe7fdefd6a2f8d29516

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d7e5b907167ef3d11ba2a6dfb8f68388
SHA1 f65212c8ae021d0425548288e15f478be2f52fc0
SHA256 cb244024f46687c29195fc0389fd40ed1c8fcdc490fecb995d5f4b2f201c9b31
SHA512 f46ed3e2055071d37a9aa6d7e378c1dce1ca7b837ce0cf15ded8939692dc42bbacf436768170dc67db2ba0ae2ba4193c9a7f7c06419563dd51e9d45be4cd9b51

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 9cc5fe76aeace39824939cb5ed753543
SHA1 61513047152f7d144659e10395555bd038b338cf
SHA256 ab3d73f81d599d8671c71431168194284ad88f7be6af09af751a09d0b6a4609c
SHA512 91924953f72681e0405eaf855e270c0b144672d8311e6ce98f7aa16e5f5519c61b44da6d28c20d768b665dca4bf137ad90ff06e7ce57018ba36fbf88de75d1f3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 67edd8e860f9f31cffa5b2cb7f1350b6
SHA1 8e0378d51863cb17fe09c030f5441d0533008872
SHA256 2e46387f4c67fd2022eb3f041cea0fe19bde0837a234072eb02fdc7bcb332b4d
SHA512 aee2dbae1b6782d179cbb4230198f4df3dbd940d7f31a7d7d4925e24ac3d87e31328335eae507fb4d0b6997759e84ddd086d1e6a21d37e953c2de24400d826f3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 c57584dfd30ae70f0ae3687260a52bc7
SHA1 d1c2cab2e5c3c13ea6e85c22170b5f108ab2436f
SHA256 ded013d95793e140c73a1b03f630fd829604d47ab984c451398bdbea7a31b23a
SHA512 34fb8693a5d158a9787d5481e3ad3628f4e906e2c3dbcb5562fe7b03997e20062aed32c69d6c7082d27669cc7111f0b26d5a6ad443fe94bad13a2eb16a4477f3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2c2500956b2d6d9a9edd46f14274b651
SHA1 ea4b4f9695224877fb6072330c0886edd9d19bd9
SHA256 91346d997e6ddd1e0f343c82781e5d87f7374f01eef2933f121568622436a29e
SHA512 6df7433b1089da21e3f0f93b3b1fd3d1f5842edea60af5eab9de78e4234ae0c54f7b171cb18679bd5e7c5f1db7c4ffe176872b439961ee97b8eb5519ff101a62

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 d96e742df78c7bac6dcdf9c0d3d3683d
SHA1 1303e724ce7ba759b2ac025b05e6881e7593ea0d
SHA256 0ce1dfc1884f23b889447c86d6bc446d2efbcfe66ef0f73532739a75ed859e6a
SHA512 7d4f8bb7b4c9d26d55cfe9ff133419633f921097315940a6ea641a0f3533b943edaef5ee51146e373d494122b9d60a9e3a42d3d6d80dd7954c870dddbc0011b1