Malware Analysis Report

2024-11-13 13:42

Sample ID 240515-zjbbdaba7t
Target Nurik Crack.exe
SHA256 c0fb1c29e216e6ede0976d74218c4565ee5a525765995883e3d6c39d50e7c5a0
Tags
dcrat xworm microsoft execution infostealer persistence phishing rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c0fb1c29e216e6ede0976d74218c4565ee5a525765995883e3d6c39d50e7c5a0

Threat Level: Known bad

The file Nurik Crack.exe was found to be: Known bad.

Malicious Activity Summary

dcrat xworm microsoft execution infostealer persistence phishing rat trojan

DcRat

Xworm

Detect Xworm Payload

DCRat payload

Command and Scripting Interpreter: PowerShell

.NET Reactor proctector

Checks computer location settings

Executes dropped EXE

Drops startup file

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Detected potential entity reuse from brand microsoft.

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 20:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 20:44

Reported

2024-05-15 22:32

Platform

win10v2004-20240508-en

Max time kernel

1198s

Max time network

1188s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe"

Signatures

DcRat

rat infostealer dcrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Nursultan Cracked.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Nursultan.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk C:\Users\Admin\AppData\Roaming\Nurik2.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NurikCracked.lnk C:\Users\Admin\AppData\Roaming\Nursultan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NurikCracked.lnk C:\Users\Admin\AppData\Roaming\Nursultan.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk C:\Users\Admin\AppData\Roaming\NursultanNotCracked2.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk C:\Users\Admin\AppData\Roaming\Nursultan2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NursultanNotCracked2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nursultan2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nurik2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nursultan Cracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nurik.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nurik.exe N/A
N/A N/A C:\Nursultan\Crack.exe N/A
N/A N/A C:\Nursultan\Crack.exe N/A
N/A N/A C:\ProgramData\NurikCracked N/A
N/A N/A C:\ProgramData\NurikCracked N/A
N/A N/A C:\ProgramData\NurikCracked N/A
N/A N/A C:\ProgramData\NurikCracked N/A
N/A N/A C:\ProgramData\NurikCracked N/A
N/A N/A C:\ProgramData\NurikCracked N/A
N/A N/A C:\ProgramData\NurikCracked N/A
N/A N/A C:\ProgramData\NurikCracked N/A
N/A N/A C:\ProgramData\NurikCracked N/A
N/A N/A C:\ProgramData\NurikCracked N/A
N/A N/A C:\ProgramData\NurikCracked N/A
N/A N/A C:\ProgramData\NurikCracked N/A
N/A N/A C:\ProgramData\NurikCracked N/A
N/A N/A C:\ProgramData\NurikCracked N/A
N/A N/A C:\ProgramData\NurikCracked N/A
N/A N/A C:\ProgramData\NurikCracked N/A
N/A N/A C:\ProgramData\NurikCracked N/A
N/A N/A C:\ProgramData\NurikCracked N/A
N/A N/A C:\ProgramData\NurikCracked N/A
N/A N/A C:\ProgramData\NurikCracked N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NurikCracked = "C:\\ProgramData\\NurikCracked" C:\Users\Admin\AppData\Roaming\Nursultan.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Detected potential entity reuse from brand microsoft.

phishing microsoft

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 60 set thread context of 3424 N/A C:\Users\Admin\AppData\Roaming\NursultanNotCracked2.exe C:\Windows\SysWOW64\schtasks.exe
PID 3380 set thread context of 4792 N/A C:\Users\Admin\AppData\Roaming\Nurik2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2316 set thread context of 1904 N/A C:\Users\Admin\AppData\Roaming\Nursultan2.exe C:\Windows\SysWOW64\schtasks.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Nursultan2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nursultan2.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nursultan.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Nursultan.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Nursultan.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Nursultan2.exe N/A
Token: SeDebugPrivilege N/A C:\Nursultan\Crack.exe N/A
Token: SeDebugPrivilege N/A C:\Nursultan\Crack.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Nursultan.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\NurikCracked N/A
Token: SeDebugPrivilege N/A C:\ProgramData\NurikCracked N/A
Token: SeDebugPrivilege N/A C:\ProgramData\NurikCracked N/A
Token: SeDebugPrivilege N/A C:\ProgramData\NurikCracked N/A
Token: SeDebugPrivilege N/A C:\ProgramData\NurikCracked N/A
Token: SeDebugPrivilege N/A C:\ProgramData\NurikCracked N/A
Token: SeDebugPrivilege N/A C:\ProgramData\NurikCracked N/A
Token: SeDebugPrivilege N/A C:\ProgramData\NurikCracked N/A
Token: SeDebugPrivilege N/A C:\ProgramData\NurikCracked N/A
Token: SeDebugPrivilege N/A C:\ProgramData\NurikCracked N/A
Token: SeDebugPrivilege N/A C:\ProgramData\NurikCracked N/A
Token: SeDebugPrivilege N/A C:\ProgramData\NurikCracked N/A
Token: SeDebugPrivilege N/A C:\ProgramData\NurikCracked N/A
Token: SeDebugPrivilege N/A C:\ProgramData\NurikCracked N/A
Token: SeDebugPrivilege N/A C:\ProgramData\NurikCracked N/A
Token: SeDebugPrivilege N/A C:\ProgramData\NurikCracked N/A
Token: SeDebugPrivilege N/A C:\ProgramData\NurikCracked N/A
Token: SeDebugPrivilege N/A C:\ProgramData\NurikCracked N/A
Token: SeDebugPrivilege N/A C:\ProgramData\NurikCracked N/A
Token: SeDebugPrivilege N/A C:\ProgramData\NurikCracked N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Nursultan.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe C:\Users\Admin\AppData\Roaming\NursultanNotCracked2.exe
PID 2124 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe C:\Users\Admin\AppData\Roaming\NursultanNotCracked2.exe
PID 2124 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe C:\Users\Admin\AppData\Roaming\NursultanNotCracked2.exe
PID 2124 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe C:\Users\Admin\AppData\Roaming\Nursultan2.exe
PID 2124 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe C:\Users\Admin\AppData\Roaming\Nursultan2.exe
PID 2124 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe C:\Users\Admin\AppData\Roaming\Nursultan2.exe
PID 2124 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe C:\Users\Admin\AppData\Roaming\Nurik2.exe
PID 2124 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe C:\Users\Admin\AppData\Roaming\Nurik2.exe
PID 2124 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe C:\Users\Admin\AppData\Roaming\Nurik2.exe
PID 2124 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe C:\Users\Admin\AppData\Roaming\Nursultan Cracked.exe
PID 2124 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe C:\Users\Admin\AppData\Roaming\Nursultan Cracked.exe
PID 2124 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe C:\Users\Admin\AppData\Roaming\Nursultan.exe
PID 2124 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe C:\Users\Admin\AppData\Roaming\Nursultan.exe
PID 2124 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe
PID 2124 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe
PID 2124 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe
PID 2592 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\Nursultan Cracked.exe C:\Users\Admin\AppData\Roaming\Nursultan.exe
PID 2592 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Roaming\Nursultan Cracked.exe C:\Users\Admin\AppData\Roaming\Nursultan.exe
PID 2124 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe C:\Users\Admin\AppData\Roaming\Nurik.exe
PID 2124 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe C:\Users\Admin\AppData\Roaming\Nurik.exe
PID 60 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Roaming\NursultanNotCracked2.exe C:\Windows\SysWOW64\schtasks.exe
PID 60 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Roaming\NursultanNotCracked2.exe C:\Windows\SysWOW64\schtasks.exe
PID 60 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Roaming\NursultanNotCracked2.exe C:\Windows\SysWOW64\schtasks.exe
PID 60 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Roaming\NursultanNotCracked2.exe C:\Windows\SysWOW64\schtasks.exe
PID 60 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Roaming\NursultanNotCracked2.exe C:\Windows\SysWOW64\schtasks.exe
PID 60 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Roaming\NursultanNotCracked2.exe C:\Windows\SysWOW64\schtasks.exe
PID 60 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Roaming\NursultanNotCracked2.exe C:\Windows\SysWOW64\schtasks.exe
PID 60 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Roaming\NursultanNotCracked2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2316 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\Nursultan2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2316 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\Nursultan2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2316 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\Nursultan2.exe C:\Windows\SysWOW64\schtasks.exe
PID 3380 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Roaming\Nurik2.exe C:\Windows\SysWOW64\schtasks.exe
PID 3380 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Roaming\Nurik2.exe C:\Windows\SysWOW64\schtasks.exe
PID 3380 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Roaming\Nurik2.exe C:\Windows\SysWOW64\schtasks.exe
PID 3380 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Roaming\Nurik2.exe C:\Windows\SysWOW64\schtasks.exe
PID 3380 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Roaming\Nurik2.exe C:\Windows\SysWOW64\schtasks.exe
PID 3380 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Roaming\Nurik2.exe C:\Windows\SysWOW64\schtasks.exe
PID 3380 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Roaming\Nurik2.exe C:\Windows\SysWOW64\schtasks.exe
PID 3380 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Roaming\Nurik2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2316 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Nursultan2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2316 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Nursultan2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2316 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Nursultan2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2316 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Nursultan2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2316 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Nursultan2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2316 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Nursultan2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2316 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Nursultan2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2316 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Roaming\Nursultan2.exe C:\Windows\SysWOW64\schtasks.exe
PID 2592 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Roaming\Nursultan Cracked.exe C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe
PID 2592 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Roaming\Nursultan Cracked.exe C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe
PID 2592 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Roaming\Nursultan Cracked.exe C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe
PID 2592 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Roaming\Nursultan Cracked.exe C:\Users\Admin\AppData\Roaming\Nurik.exe
PID 2592 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Roaming\Nursultan Cracked.exe C:\Users\Admin\AppData\Roaming\Nurik.exe
PID 2664 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe C:\Windows\SysWOW64\WScript.exe
PID 2664 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe C:\Windows\SysWOW64\WScript.exe
PID 2664 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe C:\Windows\SysWOW64\WScript.exe
PID 5076 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe C:\Windows\SysWOW64\WScript.exe
PID 5076 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe C:\Windows\SysWOW64\WScript.exe
PID 5076 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe C:\Windows\SysWOW64\WScript.exe
PID 3928 wrote to memory of 4192 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 4192 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3928 wrote to memory of 4192 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3132 wrote to memory of 4144 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3132 wrote to memory of 4144 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3132 wrote to memory of 4144 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe

"C:\Users\Admin\AppData\Local\Temp\Nurik Crack.exe"

C:\Users\Admin\AppData\Roaming\NursultanNotCracked2.exe

"C:\Users\Admin\AppData\Roaming\NursultanNotCracked2.exe"

C:\Users\Admin\AppData\Roaming\Nursultan2.exe

"C:\Users\Admin\AppData\Roaming\Nursultan2.exe"

C:\Users\Admin\AppData\Roaming\Nurik2.exe

"C:\Users\Admin\AppData\Roaming\Nurik2.exe"

C:\Users\Admin\AppData\Roaming\Nursultan Cracked.exe

"C:\Users\Admin\AppData\Roaming\Nursultan Cracked.exe"

C:\Users\Admin\AppData\Roaming\Nursultan.exe

"C:\Users\Admin\AppData\Roaming\Nursultan.exe"

C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe

"C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe"

C:\Users\Admin\AppData\Roaming\Nursultan.exe

"C:\Users\Admin\AppData\Roaming\Nursultan.exe"

C:\Users\Admin\AppData\Roaming\Nurik.exe

"C:\Users\Admin\AppData\Roaming\Nurik.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe"

C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe

"C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe"

C:\Users\Admin\AppData\Roaming\Nurik.exe

"C:\Users\Admin\AppData\Roaming\Nurik.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Nursultan\AYpmKnAj6qwuogelHipomroLpcHPND.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Nursultan\AYpmKnAj6qwuogelHipomroLpcHPND.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Nursultan\bc09q.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Nursultan\bc09q.bat" "

C:\Nursultan\Crack.exe

"C:\Nursultan\Crack.exe"

C:\Nursultan\Crack.exe

"C:\Nursultan\Crack.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Nursultan.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nursultan.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\NurikCracked'

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=schtasks.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80f3a46f8,0x7ff80f3a4708,0x7ff80f3a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,5964969173153907337,17110666673659315890,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,5964969173153907337,17110666673659315890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'NurikCracked'

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,5964969173153907337,17110666673659315890,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5964969173153907337,17110666673659315890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5964969173153907337,17110666673659315890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5964969173153907337,17110666673659315890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NurikCracked" /tr "C:\ProgramData\NurikCracked"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,5964969173153907337,17110666673659315890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,5964969173153907337,17110666673659315890,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5964969173153907337,17110666673659315890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5964969173153907337,17110666673659315890,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5964969173153907337,17110666673659315890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5964969173153907337,17110666673659315890,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=schtasks.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80f3a46f8,0x7ff80f3a4708,0x7ff80f3a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5964969173153907337,17110666673659315890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5964969173153907337,17110666673659315890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=schtasks.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xe4,0x104,0xd8,0x108,0x7ff80f3a46f8,0x7ff80f3a4708,0x7ff80f3a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5964969173153907337,17110666673659315890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5964969173153907337,17110666673659315890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=schtasks.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80f3a46f8,0x7ff80f3a4708,0x7ff80f3a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5964969173153907337,17110666673659315890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2884 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5964969173153907337,17110666673659315890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=schtasks.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ff80f3a46f8,0x7ff80f3a4708,0x7ff80f3a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5964969173153907337,17110666673659315890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2092 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5964969173153907337,17110666673659315890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=schtasks.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80f3a46f8,0x7ff80f3a4708,0x7ff80f3a4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5964969173153907337,17110666673659315890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,5964969173153907337,17110666673659315890,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,5964969173153907337,17110666673659315890,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6104 /prefetch:2

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

C:\ProgramData\NurikCracked

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 learn.microsoft.com udp
BE 2.21.18.87:443 learn.microsoft.com tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 13.107.246.64:443 js.monitor.azure.com tcp
US 8.8.8.8:53 mscom.demdex.net udp
IE 52.18.219.127:443 mscom.demdex.net tcp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 87.18.21.2.in-addr.arpa udp
US 8.8.8.8:53 target.microsoft.com udp
US 8.8.8.8:53 microsoftmscompoc.tt.omtrdc.net udp
US 8.8.8.8:53 mdec.nelreports.net udp
NL 2.18.121.21:443 mdec.nelreports.net tcp
US 8.8.8.8:53 127.219.18.52.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
NL 149.154.167.220:443 api.telegram.org tcp
US 52.182.141.63:443 browser.events.data.microsoft.com tcp
US 52.182.141.63:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
N/A 192.168.2.133:1337 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
DE 104.28.229.13:1337 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 192.168.2.133:1337 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
N/A 192.168.2.133:1337 tcp
N/A 192.168.2.133:1337 tcp
N/A 127.0.0.1:1337 tcp
DE 104.28.229.13:1337 tcp
DE 104.28.229.13:1337 tcp
N/A 127.0.0.1:1337 tcp
DE 104.28.229.13:1337 tcp
DE 104.28.229.13:1337 tcp
N/A 127.0.0.1:1337 tcp
DE 104.28.229.13:1337 tcp
DE 104.28.229.13:1337 tcp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 192.168.2.133:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
DE 104.28.229.13:1337 tcp
N/A 192.168.2.133:1337 tcp
DE 104.28.229.13:1337 tcp
N/A 127.0.0.1:1337 tcp
DE 104.28.229.13:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
DE 104.28.229.13:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
DE 104.28.229.13:1337 tcp
N/A 192.168.2.133:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 192.168.2.133:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 192.168.2.133:1337 tcp
N/A 192.168.2.133:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 192.168.2.133:1337 tcp
N/A 192.168.2.133:1337 tcp
DE 104.28.229.13:1337 tcp
N/A 192.168.2.133:1337 tcp
N/A 192.168.2.133:1337 tcp
DE 104.28.229.13:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
DE 104.28.229.13:1337 tcp
N/A 192.168.2.133:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 192.168.2.133:1337 tcp
N/A 127.0.0.1:1337 tcp
DE 104.28.229.13:1337 tcp
DE 104.28.229.13:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 127.0.0.1:1337 tcp
N/A 192.168.2.133:1337 tcp
N/A 192.168.2.133:1337 tcp

Files

memory/2124-0-0x00007FF815843000-0x00007FF815845000-memory.dmp

memory/2124-1-0x00000000000C0000-0x00000000011EA000-memory.dmp

C:\Users\Admin\AppData\Roaming\NursultanNotCracked2.exe

MD5 78a2304f3a08a66a5f90757dfb397f2b
SHA1 d6e327d3a056a2c6a2b1af1f72aa03293d191df7
SHA256 f3510f0c072e4c056ba514a8579f8eabcd2a4a18756e1da3d56ab17bc42ff358
SHA512 a2d204d6492585d35af689673f806cd85d1030123e929e311fe06e84eb437084386f61614a9ec3b4fa135785a0b1752bac24991294b28c2ebc6f4770ef8b8e41

C:\Users\Admin\AppData\Roaming\Nursultan2.exe

MD5 bdfdfa323d578c1f668a4f97db9b8d10
SHA1 66e7fa0ba48988483c1601a9c2301d318639c5d4
SHA256 4bdfa89047bfe08d94cac51bde472f37e3a002e673e6218fa5a5c3c0cd33117d
SHA512 fe4470f25ff65df557884d131bfbb450e651b3a9151008772d903dac251e3e04bcf1aac370f1b172d3e06145bdafe8b3c5ab95a6bc565e7fbc88add8deb7df38

memory/60-24-0x000000007503E000-0x000000007503F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Nurik2.exe

MD5 b8b51df76b3f00ade7d55cd4c7f0d6f4
SHA1 2f7f9ddfab8cad5cef96cb0e9991efb89e642d9c
SHA256 1babeacafc7be55b72451ef9fdc0cb756c74f0cb9f8d6cc5959e731738ae3a91
SHA512 dcce8cac094346deac8f9453e0d3b428b7a1a443e865b3fe6a7e45951607ef017f104f7e48cfaf9c26d1816256a7d62a8c6347cf694dfeab837810cdc5cbf91f

memory/2316-37-0x0000000000460000-0x0000000000698000-memory.dmp

memory/60-39-0x0000000000870000-0x0000000000AA8000-memory.dmp

memory/3380-38-0x0000000000FC0000-0x0000000001272000-memory.dmp

memory/2316-28-0x0000000075030000-0x00000000757E0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Nursultan Cracked.exe

MD5 fd3fb20e423d639029be8a7a9b8f591d
SHA1 7e1c144b4028548742b1d324305f6c8a4bd66bf3
SHA256 9877905b046182b385cc16a102e05b0a08495d966f7dadbaea8b39871755eb33
SHA512 e25a7f851cb0a76e33de0ac37de4303b36532a30e983c71136b28b6b494affdbfe3cb4a2eacca4993bdedc6e33c1ba9784c26c303024d5c05b09d7d1e83550dd

C:\Users\Admin\AppData\Roaming\Nursultan.exe

MD5 51da89019cd04b7e3c032638bcdbb44d
SHA1 5c24aa8307f624bcfc8af66e62e59314cad357f0
SHA256 af8a4ba4e90778e99e4dc65b5c15f674a93572f10b562dad9428e7d50ef51c63
SHA512 ffe682c4e98929448d427133e2e3094e0f98e9788cc2bfb3ad226b90e1ee4e2afe4e1d982f4d48269a7b310b20da6b6e879765fdf58bbf601206b4621a2b4fc4

memory/1084-69-0x0000000000890000-0x00000000008EC000-memory.dmp

memory/2592-68-0x0000000000D00000-0x0000000001212000-memory.dmp

C:\Users\Admin\AppData\Roaming\NursultanNotCracked.exe

MD5 7c1116ef335e3d57298a17a0dc63da3b
SHA1 4c82030db099dd24e6be5cfeada9234bcda47e92
SHA256 a7a8fb604ff5d7eff7dba47b08254be021a7f4490af6de409a7475da98af98e1
SHA512 caf030dce4eb52e9ccfd3d0f8746fa83429e64f8061a73c435781b5b390e98aa868f5fb08f839ce706a352fcaabce0d89b7e698955d1f6c14ff38d5bcd7ef557

memory/2628-91-0x0000000000BF0000-0x0000000000CC6000-memory.dmp

memory/3424-93-0x0000000000400000-0x000000000045C000-memory.dmp

memory/4792-101-0x0000000000400000-0x00000000004D6000-memory.dmp

C:\Nursultan\AYpmKnAj6qwuogelHipomroLpcHPND.vbe

MD5 071179a85937fdcdd1e7853647b3295b
SHA1 86cf73d4385e9fb7798ef111fb2216575a4f89d9
SHA256 1b65d87e4f452e62e0365924b15814b10a5fd685bfe1b780396684f76961fdd6
SHA512 dca54bf366c81c512430fc49eb6c882b0c71da95cbf9b75a8c8a061a9b537a00033572900aaea0f5546f0274348f462284c1e344d5f3bc53410e0a308fb9f6fb

C:\Users\Admin\AppData\Roaming\Nurik.exe

MD5 229ca4222f782cf9a4de319a507595bb
SHA1 31b9891f4f519bf535b5ca06093fa61c12178db0
SHA256 f827c4f3ead68d8f15ba9447ca69c3119d1eddd917ef36d73494d4844e888dc9
SHA512 8a572cf52f0134f417e18df92d49376b444843a8485b7ac33e0ec963c30ad55a71f363643c7da2a7ce52c3eb5eb4ef1dedf050e91d07b06686f34badc0891186

memory/2316-107-0x0000000075030000-0x00000000757E0000-memory.dmp

memory/60-87-0x0000000005CD0000-0x0000000005D86000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk

MD5 adeb2f92adac4731fcb98b7ff5ef9264
SHA1 f9ce13b06886730948da5aed599e1c7395b9a07e
SHA256 ce8bef46910cdf6584227b6f5d202ba70e87f08e972b228719042fbe8573603c
SHA512 6ee7028fcc6a1e4651bdf1014e6ad735f2952b65d8b6b713987e9234c55971771558c943190c6d5a4c23c26b8ee9af480bdc5a1560652f4e21f4bbe14cb2244f

memory/2316-74-0x0000000005D30000-0x00000000062D4000-memory.dmp

memory/2316-61-0x0000000005030000-0x00000000050CC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Nurik.exe.log

MD5 386677f585908a33791517dfc2317f88
SHA1 2e6853b4560a9ac8a74cdd5c3124a777bc0d874e
SHA256 7caf8779608c167ab6fa570df00c973aff6dee850bb63439770889a68c7cdae0
SHA512 876d2269e25a4b2754bdf2c7e3c410050f885d7e6bd8abce41c5fc74ae1f8c549b2266dd1588c750f614063f36c8a8e5008cea610505897d04e4ef5c3adc52d9

C:\Nursultan\bc09q.bat

MD5 e97fad1a36c0fa03ea46e8a8a6e5da1a
SHA1 1febf8469161b6d435c8e08b28b599502a207ab7
SHA256 b8b17538cb450d83232dcad0019c28ea7b5ab3d6a9b16dbe30c449329fbcd593
SHA512 6c1b8b00f3755d309b562126226687da9f10220c1504479d2a5525dbdd8864c9a37e9d3392e47adde3ae8121fdf5e787ea3e581be3e89b3f3245094da85f49ff

C:\Nursultan\Crack.exe

MD5 f00e2a0e9f7ec6e13e960670d7bca9cb
SHA1 5e27881f87bb77136b21229a6fb67e076d06db40
SHA256 8dc2e1698909f50c91cc2199a13ce29931f80856854845e27541840e3722df81
SHA512 85850eba79e82d11f1b258ece3f6e4894dda54e1ff63f45890d9ffacc7b6b171ab9cf5b1c7400fb7419599a3f44657346adb8cfb36924106f0f48794f3109aba

memory/2540-120-0x0000000000E40000-0x0000000001160000-memory.dmp

memory/2540-121-0x0000000001810000-0x000000000181E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3zwhg3iq.jwm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2540-124-0x0000000001820000-0x000000000182E000-memory.dmp

memory/696-122-0x00000206F74D0000-0x00000206F74F2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 da185fddf7e751e39023edde12930f37
SHA1 657fcb7fda401b69d3bb97e7b6abf126ac36d4b2
SHA256 8928226805a92acd76d21e1a276176d9af3ca1ec31f14e45a2b4b88f4722cad5
SHA512 db7bc02a1bd86d587840a56334dee9cb80aa0a8635cd2eb1c490bc5466659350de4d625f320731e34fac235016515d0dddc05a6081149dc6c2e82c262be6b975

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 eaa3db555ab5bc0cb364826204aad3f0
SHA1 a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256 ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512 e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

\??\pipe\LOCAL\crashpad_1036_ALVESDOBTXRJKOZN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4b4f91fa1b362ba5341ecb2836438dea
SHA1 9561f5aabed742404d455da735259a2c6781fa07
SHA256 d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512 fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2f3f82726781b726be45dc168c7e8d0b
SHA1 cd6b1aef925ee04cf1c1ba4f99f4b2ea2e3823d4
SHA256 167618a3ee9d9a43ccd09c0432efd1b217b888bc492616a95ef20a1e578f3535
SHA512 67595bc7a75a810b48b1b92238e480d8b7180f7ee243e5b7a18e8fa964b6bcad7874d621104eb864c05ac866868ff237f0a548bbf1a1cb555decb200c23959cb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9c740b7699e2363ac4ecdf496520ca35
SHA1 aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9
SHA256 be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61
SHA512 8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Crack.exe.log

MD5 5cb90c90e96a3b36461ed44d339d02e5
SHA1 5508281a22cca7757bc4fbdb0a8e885c9f596a04
SHA256 34c15d8e79fef4bddec7e34f3426df3b68f8fc6deac29ea12d110f6c529fe3bb
SHA512 63735938c841c28824e3482559df18839930acc5ea8600b1074439b70a2f600a92f41593568e49991f25f079e7f7361b4f1678feadbf004f6e9e4d51d36598d4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 eee9f0b927fb957d9b2abd158b7e3569
SHA1 78e4405c55040770c00269783ce0ffc1263f0c30
SHA256 1f23a0de458631a0c63070ac1526e529eb6df31e4b25d471f89c40eabf26f37c
SHA512 65637617e61188aa7ef9977726e89bc4d06a32cdfb4f66e35c645f3573ac3cd57521eb35279340e54f0105aaf5758f11ceaa0585d67de36136456711d0bb3dd0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 688b9c2e653644666466361dfb2d3167
SHA1 255128bc5fa0c92457a29f74d1ac674574d26489
SHA256 3f84b2c599fbd7c2d97ad2213ee9ec39a1f04b34fa1967525604b8d3eaacfc62
SHA512 a35c5ed273bfb69f9f9f0318ae1d1f41b03b29fb5c51dfd2c8826c4af99f753be8d8a096eacc4b294980cf05ad21085251af3b0bc579fefde5bab4690e302912

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fe7346424240eb126b05e62cf3945d0e
SHA1 6fb6d206b06efd53d87edfdfc3158a4e47aa7666
SHA256 3593b7f33e484127d57e4f1480b5b7b32c5aadb629838128b6f4ceb4524ec657
SHA512 04eab351b8a6022a7d0b13d5b284e2a7db6d287a285c7893184039922a7ee72f334c69ee42316e8b956c6c5bc32b4922bc89ef335d8e45a6d5fb9d3e0acde00a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 3d665ee9be76ceba2c784c98b46163eb
SHA1 ed8f9eddc4947f277f1ecdfd40ec3cbc3d4aaa42
SHA256 4de128394e96e8442cf560eefe81389e29fcbefd21ef2b3c88435f46fb7e4663
SHA512 e036bfd8c56267f416b81f87422ae8ef54841cfe8951905bbb4098ad6d4f35ccf3548988a7eb9d5cf6e73b84dd6b57e25df5bde373a72bdff4e72cd0c7ad7499

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 5a487f1a4ad1473828417705fb8f9adf
SHA1 572eb213ddaa178742c97a5b82a7f8f7185a4b3a
SHA256 68d0e56b749585f8a9db2bcbc188d87912eba01b6311ddd58c32abce79792406
SHA512 5c500a4e158613c426cdd27e78881767b1f792eb62805c7e91eea7d65d7c1240e785567671302017ef615d59df4556afd73f4fd7527de8317192101111102c67

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b805.TMP

MD5 0d36c98d3f33f530276a7064a0d0a4a1
SHA1 bf853e2b77f41b1d0169a780b6e7a4a43c65c212
SHA256 822cd09b60250e35376e78dc135c7bd652af9c8a53ed8c31e40bbab09936ac3b
SHA512 1e1ce372b74be9a15d52db1caa1fd2764b1191d4e4648163b5fd988dcd99d2bf1cbd4593884a673c3fc2926f696e4633de50d7949c638be274a16eda9123c9d6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

MD5 1478de9c94a368d7ed03d50bb6005cdf
SHA1 afdcefbe26aa59c0e4ae668cf422adcf589461a8
SHA256 81cf44a40792ce2cc46ea896bbf06a91687ca4c25faee4e67e470a7d61a77914
SHA512 dc980bc3355ddd8096f8751c9bb51f1e296322eaa5d4a9f20588690c3e799eb9aaec823fdccb098c53f4be978614e7980c419bb9ce7cf6b66c3db9515d9bf80c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

MD5 49a7e6bd6e5a1d261b082ce64de784bd
SHA1 d9e2855293dfaec6110b63e39b0bea3ce6a1dae2
SHA256 63c4baa96e0e4324a3b8c3fb260df92dcdc485165083bb53dc51403e5615c1ef
SHA512 a677c369a60d26039983b7cf76a1e27aa10fd002d3872d06699254634bc4a6d8660393078aad0d539f86748acb8f79abd249ea8ad701b077203613039474ef3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 e51f388b62281af5b4a9193cce419941
SHA1 364f3d737462b7fd063107fe2c580fdb9781a45a
SHA256 348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c
SHA512 1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

MD5 2e0ba435ee3284e38dd103398e7b4627
SHA1 de331d9f52e91afc5564a10fe7be0ae101b57ba4
SHA256 d389f7aaffdac965a6efdf54512cb0614e50e6249e5be6e139b1fd7ff3f34744
SHA512 c3c4b0c3f4704de52f9329828773b8c407783853caaa2de7a55882b7ff7a3c3900b995a5f6b86637c2493259abe2bd868fab1ea821646eaa36bc25884e720a13

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 5a4dc0b77291cc0d22f48a8e1cbe9ad9
SHA1 e9cd681d30efefb4f1aa073c86b927574924be35
SHA256 3157953dfa184e060c069d6378f588d028d4c5121bbc9d01e8ef7a0ee1681ff2
SHA512 a69d9cd41d32e35e23c41961ea4c8911cedd70095e37a8070e2fa86258eaac32225ab46c745c67e2d1b5bc290666ea6d883f4c2ad190e5b96d45b94b718ea62a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 34504ed4414852e907ecc19528c2a9f0
SHA1 0694ca8841b146adcaf21c84dedc1b14e0a70646
SHA256 c5327ac879b833d7a4b68e7c5530b2040d31e1e17c7a139a1fdd3e33f6102810
SHA512 173b454754862f7750eaef45d9acf41e9da855f4584663f42b67daed6f407f07497348efdfcf14feeeda773414081248fec361ac4d4206f1dcc283e6a399be2f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 522037f008e03c9448ae0aaaf09e93cb
SHA1 8a32997eab79246beed5a37db0c92fbfb006bef2
SHA256 983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7
SHA512 643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

MD5 240c4cc15d9fd65405bb642ab81be615
SHA1 5a66783fe5dd932082f40811ae0769526874bfd3
SHA256 030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07
SHA512 267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

MD5 870b357c3bae1178740236d64790e444
SHA1 5fa06435d0ecf28cbd005773f8c335c44d7df522
SHA256 0227bd6a0408946e9b4df6f1a340e3713759a42a7677bdb8cb34698e4edf541e
SHA512 7fc902e787b1f51b86d967354c0f2987ea9fd582fef2959831ea6dbc5e7bf998a8f24ba906f0ee99ae8493aeb0c53af06bee106d60b448ac50b827c63b1ed169

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

MD5 049412f03408193f0103637411b42627
SHA1 540da51436d5a9e305bb113fd522b91448348813
SHA256 ba778d4f93dbb62ed50333a967dbc34bb1fd5c9b45ed90b7366d72bd6a2955db
SHA512 90f11094e997cbfa3593fe6a365b0d942ee03eaa9512ab73c0b6d7cae409f7e0b2b15118944fb4dc113169f2ba900ebbce9bec8ee34c3832c5579f217b784aed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 83b126b1870fbc597ca46cc07da4e97a
SHA1 5c00c17bc47f3c9e987402891c79fa2f53e5d7b1
SHA256 8e045f756721426f276133be8c8d5605b549e03bd2104237848d7bb57ccf32ef
SHA512 9482813663bc1a44380f5b387a494c4e3af91ae72ed88240eec2884470e1214fe852fed2c9470e1baf7ee5048c7b65d142e5f935ae2bfa76deb4abfa9886b886

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 444d5556e454a9bfa043bfb299c201b2
SHA1 77fd5a4cd457d366b4e8a8d9d5825d8d21d12470
SHA256 2e328e9b7bea84f75a835a413285d52dcde57876814f224b0008ebeeb05c32bb
SHA512 b2552539796f42160ad366a5f63cc9586ff7edd01eec5c41e10c503bca4e82cc7d7323489d382eb02b0157428d21baad74bc3da2996029462c5ad8c84006bb55

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 da15e4cc95edb09187d4fef7e8d724c5
SHA1 b027b5903a972eedaf80d18b6ee4dd449d56e668
SHA256 f0df087152c69edfc86f901538f5cc8215ff7f22394386d054829b8b6233821d
SHA512 b454aadb7363976c4da61bf8068af601642eb2c8b835922f2022a2f1de29bcd406932652b7e59a3b7bb0ac116aaf115a8dfb935562bb88e58c420e51473bc38e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 fabd05b0e31f0fa79f37f4a427daf215
SHA1 fdec5130b2afab3912a305ea5eb2d708003c150e
SHA256 66239112b8add8cad0346c742a89b818b03e3d56479b23c280eb7cd142ff54d6
SHA512 470c248dd0634d2cd1bea9a6d645de9dad4df7687932bb1377bd64f3587b9411cef7ee73547b2dd31c160d15d442cc2038bf7c1c8d12caa7761a0d70ab1e6aa7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e68a6f4f66ae8102_0

MD5 b87e067ebc4e4765e2e2c16d770b3e33
SHA1 3a29d5a819bb4a8194cc6ab84e585cdc31700b7f
SHA256 4c75374e16b5587717cb2bcbce047eec40a276f806b52ff2af7d1795aaaa2f0a
SHA512 86a3572008966510ce8735d0b3ec40ebe83b03fc55a4419aa335d9c022d6949b6761aa15247367676545e9046ae893239a983896c6b5e1262bac5c72288b0507

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4e003e8d3cded39b_0

MD5 1c7494e7b1512430ed74f8874675affd
SHA1 514d6e8b64de5e6fcdc958213ce6e44bb451bc88
SHA256 2841ed5d26a930db97a2547684a42c216c02210ef844d923b52f6f1e3300ae33
SHA512 e603a8a2ee59088e1ce8e45907f163b074d41e6659a10d795e749ed5724eaa82c575b5507c230731974b1cd0167f2fa689e634bc359d789e52566372639d8849

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\60b6695653fc0e21_0

MD5 2ffc6ffe038a6e833442b17e5916c3f1
SHA1 61cd608d3fa48fd648bd0d4fbe50bf891a892ad3
SHA256 6b5c05dd55e39bf4d749dc33603adfbf4e735c0b5d5c565b0cc2f211cdd46129
SHA512 dd3d72739324f6bf3665223682ded391f3c6928f96d20d0f5825114c8571e7266be7b7ec30da67507977eb13d2ca04b558bb8cb77165dc5ced32cd4a648a8f99

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\daffaa069977dcc2_0

MD5 050e6c77f2fd79ccac21e55424e1705f
SHA1 73d09d13206e05726707ee274814466dfc3c3346
SHA256 cdfca66139daa5a521d677f32b49c527a228104d1c8b07b50742b6b0a6c8548c
SHA512 5664d2db0485637cebea5359d028b9c318c21c5558fd34ea709c99cff1fb0edd1e571bbcf43fd959cdc9d75a741f3f3555e040b0b48dd0caf65bb5dd87b65c3a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\59a0dffc442ad043_0

MD5 adc211ac0db8a94d983ea2a15c7c594f
SHA1 b123cd0f8245a6190a1d802ada9f59999ad9b158
SHA256 409dc934a8bb4d1b9990bff9ab6133b0e7c1ea50638eb72127925cdfa6747124
SHA512 b3045d5587a38437d7b4ab3fdceef8c966652f3063ca61155e365fec64239a03328634508e2c2b2f08d6e4dcdc4f97775cf3b4492e75dfb7a562dca701a00fcd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6aeead706c5a0d00_0

MD5 ac977e8924183ae467131b0f67c38b2c
SHA1 6bf4d920a3a58becb0f8478b5a609c02f052554e
SHA256 58a8810b82b8746970970d965dee536448000da160fd99fa1d1d59d5ec9c5e58
SHA512 e2f9765fbdede0a7cbcfd9d58e6d6e1c23c02d7c20c6c91fcc3ddbc6e510a822443f0f9a56ddfae735bd9ec4d7541f782142f3dc72913222d49655f9cd81d826

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8f3c2e2c260a7099_0

MD5 349f7ec32b21489df9c549211b6d749a
SHA1 a4f9de28c549936cb17774cfc08e9a0c0c024755
SHA256 325aaeb17f436a394347469812f3b6692a9110268736579a85ba1804e6791e2e
SHA512 1010b11d790a2c1fc3c13a3969b1ef6d2be7bc5e733190dc37a6d7f80300316dd914e19e7971c3b4f406a51400ca41ea8cf22168eabb60487ddfe2232990f4ce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e69b22e49eb9beab_0

MD5 b19e065e441a4808a90b1b58c3695fd4
SHA1 5ca529d2e4e22b98a27619c308dd6f69c5ca8c35
SHA256 1d9b6b270566f0db8153fe660b08a50ca1de201ef41fb7cb74772164552f3761
SHA512 d112a69a86fa2ae9578001c57e45e3b5020763fc5f2e425100e981db0a8b98ecd94291759740fa886bf0e26b439f7010cdfca8062e8a911211317d5f0f18dd63

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9c1e175bdb6cd9ef_0

MD5 70fa2e8d32dee6530a9fd01bf34c15c7
SHA1 bad4b64c8c04c44c49ba31f9b7916dad117c8c56
SHA256 22dc7ba78fd30271dbec5360fc4833868c7b9783d59fb29636d3a9daf3b3e48d
SHA512 efa46ba36589178eb413d559593757659c085f447f805abd59b375d48553d99836ea1098520ac1356065e283262389d80323486a9595481c9c829bbfb94d2ea6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 963f3e091aaca5d9cbc598ee573e8ca9
SHA1 500d5c83625467d7d51e2461d4a5f918c7fb4437
SHA256 763d957f676f35386d9a41e07775f749b0fa8c6c8f4ec80031733702c85484b9
SHA512 5d2b1962ceac3e40d47dac55e811cf5a5a8465fefd36cde758f1907679c7ba0a08ab0697275fc90f76797cb6997634601169a99623023de008fe7fd42f3b6eec

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 72ce22cf639f5543fc326a5da0ac0d24
SHA1 467e3e4d9a26fa41782de8eb8cc0b8446ab8aeaa
SHA256 9addd64dbbdc4aa78e3314434c367a0062e8d9290d67709a1f25936df3152fb6
SHA512 996c7f6f105accacfea0eeea2bab40e4f5fef885ba13466a1fe22d2a849b53442c687556520218f18e1e77006518f3ca78e99a61a814ed5496dee1b732a9f1b3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 05592d6b429a6209d372dba7629ce97c
SHA1 b4d45e956e3ec9651d4e1e045b887c7ccbdde326
SHA256 3aacb982b8861c38a392829ee3156d05dfdd46b0ecb46154f0ea9374557bc0fd
SHA512 caa85bdccabea9250e8a5291f987b8d54362a7b3eec861c56f79cebb06277aa35d411e657ec632079f46affd4d6730e82115e7b317fbda55dacc16378528abaa

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c96a9807a581d2dab75c1411c1a28021
SHA1 7721cbc631995a4fe7900772f302082afc22229b
SHA256 14f0c57aff56873d25d7411af610975f33057eb9dbb4f970cd86e37e8bc8e173
SHA512 430dd0bf54af801fb83f4effef2746dfd38962970a48c2c700b15290374ffa07452f40d3588ed8b781dc8c6f688e798edb289f2346099a2a00fe5ac67b6bf089

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 4f9975d867b9f99ea1c15fea1a6ed0e4
SHA1 30710d142216b5d9ac9bfe486c78cce366c0179c
SHA256 4ff5f2432464b31fb59c07dc6a7e97bbc86ab73db8c52bd6b3810ddc8682a2f7
SHA512 70c6a1c8018a61f3da073692cfa36567ea2608d0ca89416b565522bd91ebfc13c7f05d8391c10f4174d645ba666b1a3e34f7ab05ac9ba40cd6fe98ec32ff07a9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\NurikCracked.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1