Malware Analysis Report

2025-04-19 16:05

Sample ID 240522-t4x3zshc74
Target https://www.youtube.com/channel/UCuHeiORKwgjZ5-n8xoq_zVA
Tags
xmrig discovery evasion execution miner persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://www.youtube.com/channel/UCuHeiORKwgjZ5-n8xoq_zVA was found to be: Known bad.

Malicious Activity Summary

xmrig discovery evasion execution miner persistence spyware stealer

xmrig

XMRig Miner payload

Stops running service(s)

Creates new service(s)

Command and Scripting Interpreter: PowerShell

Executes dropped EXE

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 16:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 16:37

Reported

2024-05-22 16:48

Platform

win10v2004-20240426-en

Max time kernel

612s

Max time network

605s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UCuHeiORKwgjZ5-n8xoq_zVA

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence execution

Stops running service(s)

evasion execution

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439}\4484.obs C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439} C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Roaming\WeMod.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439} C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439}\4540.obs C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe N/A
File opened for modification C:\Windows\System32\CatRoot2\dberr.txt C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439} C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439}\4040.obs C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Roaming\WeMod.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439} C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Roaming\WeMod.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Roaming\WeMod.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439}\3608.obs C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WeMod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WeMod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WeMod.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WeMod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WeMod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WeMod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WeMod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WeMod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WeMod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WeMod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WeMod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WeMod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WeMod.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\WeMod.exe N/A
N/A N/A C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe N/A
N/A N/A C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe N/A
N/A N/A C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe N/A
N/A N/A C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe N/A
N/A N/A C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe N/A
N/A N/A C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe N/A
N/A N/A C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe N/A
N/A N/A C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe N/A
N/A N/A C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe N/A
N/A N/A C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 4308 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 744 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2756 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UCuHeiORKwgjZ5-n8xoq_zVA

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe6c446f8,0x7ffbe6c44708,0x7ffbe6c44718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15186593494376346401,7204181405987521439,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,15186593494376346401,7204181405987521439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,15186593494376346401,7204181405987521439,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15186593494376346401,7204181405987521439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15186593494376346401,7204181405987521439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15186593494376346401,7204181405987521439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,15186593494376346401,7204181405987521439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3552 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,15186593494376346401,7204181405987521439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3552 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15186593494376346401,7204181405987521439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15186593494376346401,7204181405987521439,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15186593494376346401,7204181405987521439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15186593494376346401,7204181405987521439,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15186593494376346401,7204181405987521439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1124 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15186593494376346401,7204181405987521439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2124,15186593494376346401,7204181405987521439,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5892 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x304 0x30c

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15186593494376346401,7204181405987521439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,15186593494376346401,7204181405987521439,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6328 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15186593494376346401,7204181405987521439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15186593494376346401,7204181405987521439,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2684 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15186593494376346401,7204181405987521439,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,15186593494376346401,7204181405987521439,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7100 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Melonity_Installer v3.6.rar"

C:\Users\Admin\Desktop\Melonity_Installer v3.6\FieroHack.exe

"C:\Users\Admin\Desktop\Melonity_Installer v3.6\FieroHack.exe"

C:\Users\Admin\AppData\Roaming\WeMod.exe

C:\Users\Admin\AppData\Roaming\WeMod.exe

C:\Users\Admin\AppData\Roaming\Sirus.exe

C:\Users\Admin\AppData\Roaming\Sirus.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "SRIAZLHB"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "SRIAZLHB" binpath= "C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "SRIAZLHB"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\WeMod.exe"

C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe

C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Melonity_Installer v3.6\Source\QtQuick\Controls\Private\style.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Melonity_Installer v3.6\Source\QtQuick\Controls\Private\StackView.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Melonity_Installer v3.6\Source\QtQuick\Controls\Private\StackView.js"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Melonity_Installer v3.6\Source\QtQuick\Controls\Private\CalendarUtils.js"

C:\Windows\System32\Notepad.exe

"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\Melonity_Installer v3.6\Source\QtQuick\Controls\Private\CalendarUtils.js

C:\Windows\System32\CScript.exe

"C:\Windows\System32\CScript.exe" "C:\Users\Admin\Desktop\Melonity_Installer v3.6\Source\QtQuick\Controls\Private\CalendarUtils.js"

C:\Users\Admin\Desktop\Melonity_Installer v3.6\FieroHack.exe

"C:\Users\Admin\Desktop\Melonity_Installer v3.6\FieroHack.exe"

C:\Users\Admin\AppData\Roaming\WeMod.exe

C:\Users\Admin\AppData\Roaming\WeMod.exe

C:\Users\Admin\AppData\Roaming\Sirus.exe

C:\Users\Admin\AppData\Roaming\Sirus.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "SRIAZLHB"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\WeMod.exe"

C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe

C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\Desktop\Melonity_Installer v3.6\FieroHack.exe

"C:\Users\Admin\Desktop\Melonity_Installer v3.6\FieroHack.exe"

C:\Users\Admin\AppData\Roaming\WeMod.exe

C:\Users\Admin\AppData\Roaming\WeMod.exe

C:\Users\Admin\AppData\Roaming\Sirus.exe

C:\Users\Admin\AppData\Roaming\Sirus.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Users\Admin\Desktop\Melonity_Installer v3.6\FieroHack.exe

"C:\Users\Admin\Desktop\Melonity_Installer v3.6\FieroHack.exe"

C:\Users\Admin\AppData\Roaming\WeMod.exe

C:\Users\Admin\AppData\Roaming\WeMod.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "SRIAZLHB"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\WeMod.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe

C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe

C:\Users\Admin\AppData\Roaming\Sirus.exe

C:\Users\Admin\AppData\Roaming\Sirus.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Users\Admin\Desktop\Melonity_Installer v3.6\FieroHack.exe

"C:\Users\Admin\Desktop\Melonity_Installer v3.6\FieroHack.exe"

C:\Users\Admin\AppData\Roaming\WeMod.exe

C:\Users\Admin\AppData\Roaming\WeMod.exe

C:\Users\Admin\AppData\Roaming\Sirus.exe

C:\Users\Admin\AppData\Roaming\Sirus.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\Desktop\Melonity_Installer v3.6\FieroHack.exe

"C:\Users\Admin\Desktop\Melonity_Installer v3.6\FieroHack.exe"

C:\Users\Admin\AppData\Roaming\WeMod.exe

C:\Users\Admin\AppData\Roaming\WeMod.exe

C:\Users\Admin\AppData\Roaming\Sirus.exe

C:\Users\Admin\AppData\Roaming\Sirus.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "SRIAZLHB"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\WeMod.exe"

C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe

C:\ProgramData\fxporonoytqe\tsuxzpdgswgq.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
GB 172.217.16.238:443 www.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 216.58.212.206:443 consent.youtube.com tcp
US 8.8.8.8:53 1.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 198.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
GB 216.58.212.206:443 consent.youtube.com udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
GB 216.58.212.206:443 consent.youtube.com udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 i.ytimg.com udp
GB 172.217.16.246:443 i.ytimg.com tcp
US 8.8.8.8:53 accounts.google.com udp
BE 64.233.167.84:443 accounts.google.com tcp
BE 64.233.167.84:443 accounts.google.com udp
US 8.8.8.8:53 246.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 84.167.233.64.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
US 8.8.8.8:53 rr2---sn-aigl6nze.googlevideo.com udp
GB 142.250.187.194:443 googleads.g.doubleclick.net tcp
GB 74.125.168.135:443 rr2---sn-aigl6nze.googlevideo.com tcp
GB 74.125.168.135:443 rr2---sn-aigl6nze.googlevideo.com tcp
GB 142.250.187.194:443 googleads.g.doubleclick.net udp
GB 74.125.168.135:443 rr2---sn-aigl6nze.googlevideo.com tcp
GB 74.125.168.135:443 rr2---sn-aigl6nze.googlevideo.com tcp
US 8.8.8.8:53 yt3.googleusercontent.com udp
GB 142.250.179.225:443 yt3.googleusercontent.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
GB 74.125.168.135:443 rr2---sn-aigl6nze.googlevideo.com tcp
GB 74.125.168.135:443 rr2---sn-aigl6nze.googlevideo.com tcp
US 8.8.8.8:53 194.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 135.168.125.74.in-addr.arpa udp
US 8.8.8.8:53 225.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
GB 142.250.200.46:443 youtube.com tcp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 8.8.8.8:53 static.doubleclick.net udp
GB 172.217.169.74:443 jnn-pa.googleapis.com tcp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
GB 216.58.213.6:443 static.doubleclick.net tcp
GB 172.217.169.74:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 6.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 upload.advgroup.ru udp
RU 194.226.27.11:80 upload.advgroup.ru tcp
RU 194.226.27.11:443 upload.advgroup.ru tcp
US 8.8.8.8:53 maxcdn.bootstrapcdn.com udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 104.18.10.207:443 maxcdn.bootstrapcdn.com tcp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 8.8.8.8:53 netdna.bootstrapcdn.com udp
US 8.8.8.8:53 11.27.226.194.in-addr.arpa udp
US 8.8.8.8:53 207.10.18.104.in-addr.arpa udp
US 8.8.8.8:53 14.25.17.104.in-addr.arpa udp
US 104.18.10.207:443 netdna.bootstrapcdn.com tcp
RU 194.226.27.11:443 upload.advgroup.ru tcp
US 8.8.8.8:53 mc.yandex.ru udp
RU 87.250.250.119:443 mc.yandex.ru tcp
US 8.8.8.8:53 mc.yandex.com udp
US 8.8.8.8:53 119.250.250.87.in-addr.arpa udp
GB 142.250.179.238:443 play.google.com udp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com udp
GB 142.250.187.194:443 googleads.g.doubleclick.net udp
GB 172.217.16.238:443 www.youtube.com udp
NL 94.156.65.88:81 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 88.65.156.94.in-addr.arpa udp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 zephyr.miningocean.org udp
FR 141.94.115.174:5432 zephyr.miningocean.org tcp
US 8.8.8.8:53 174.115.94.141.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp
NL 94.156.65.88:81 tcp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 172.75.67.172.in-addr.arpa udp
NL 94.156.65.88:81 tcp
US 172.67.75.172:443 api.ip.sb tcp
NL 94.156.65.88:81 tcp
US 172.67.75.172:443 api.ip.sb tcp
NL 94.156.65.88:81 tcp
US 172.67.75.172:443 api.ip.sb tcp
NL 94.156.65.88:81 tcp
US 172.67.75.172:443 api.ip.sb tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b2a1398f937474c51a48b347387ee36a
SHA1 922a8567f09e68a04233e84e5919043034635949
SHA256 2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA512 4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1ac52e2503cc26baee4322f02f5b8d9c
SHA1 38e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256 f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA512 7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

\??\pipe\LOCAL\crashpad_2936_ITMMAHQRWVMBNDMC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f95c5152608e81ebdc263e3c04b53714
SHA1 188aebc3eda8fb2ab0ef19c665539632a00aa57b
SHA256 44c7ec069f4ff350c73b213ec710a5e5e605f713aababf0fdf100e2653f273b4
SHA512 65d0640b2f137ca130ed80b8216d212a9d5131806cbb8c1af1c748617739b15416a3fc62bd244c179a8a5f05a4c7dd56a45000a6c94479ecb4022262651f03f8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6beca670894d8d741d56cc0589a191f3
SHA1 afafd5b8014e93379326ae22c25a1ea5422e10ea
SHA256 a874fb9e7ca8c62073eb6c18fe1c236e05ce608f26a84c1b372e69a9cea9c4c9
SHA512 a7ebc662ed180102e78ba622fd021f615ba90352c60f10749c73cf7db7a3511c141b35758a6bfc6da96a1fd7f1a5ef40509532d5ba47b91825f7c75673573028

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c7e29e1e2d51d914d30f8dbc35f66ddd
SHA1 1bbfe294cb3b36bbf40455c03a1cf0b50ec1f37f
SHA256 f648df81dfda9c2856fabc23298b10e07240d31273548e1bce5b5378a9d386ef
SHA512 60b87ad865692566ddd617b3d00ffd291248f142834fa056dda25bb94681325a52bdae6913cb1201100be41f451f2c4f2b16e09c36c44a5ad491e83c520d990b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 b2e3b0f6414a16a2244b78145950c356
SHA1 9e5261ad76f6decb53b2d03bf6dd7a7c12d4dc1c
SHA256 c4004f14292f29bffaca1afbcbfdbcaef7eda9576b080cc0343894dc6e879ede
SHA512 1a0bb0854e5086710dd32172ed6ecb7e6a7dd6646b12b07bc03307c0b348041c91c89c7ea2da20fa5a68b696357d1533dda364fb47c08a29c28c24615c1e6807

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 8ca956cc13f88ec4986dd25489f0822c
SHA1 8c56a38ef647adc0147e09b02c63d5662b6a85d2
SHA256 777b69e7ac07690936e656ce0ac718a3ad0724d47272e5c30a7920085714994a
SHA512 ff3c245beda1a7291802d91da9ce9468d67e8907efcd51b68ff7ad74a00f076702236c848dae049b0f642f6630543a474114b08e45c3655d34205cf5d186850d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 32a5d5678cd4d41244c74c29e4cbc93c
SHA1 ac8620bcd9d16172aff755e65567aa3bae837910
SHA256 b1f7f72ab40a5a0d0ef0f03f612908fe1b4baa59dc8b0fcf74228b41ba7ca5b5
SHA512 461b51445f084f5e8a56214e05690d07ec27b3dca3efbdba9e11f90d6255e32c7535196f7dbd89f51d4b768972877da227d241afa6d5af0fe1a9a15777ab056f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 960a8662cde6f57e48ee40aefa6ab681
SHA1 808f6b47893cacce4267ed2f017ca3ccc05bc600
SHA256 86ef9b90a65ebeca89299fbfa1427d255545819b3bfeda54b108cda48329a4d7
SHA512 b2c01db93534adc204c74d49a3cead842b316dd0e3b354b3f7bb418a15b6a3ff6ddfcc739da143b46d5502080ddc58a1c713447e586590c9f2bc7c96008a030e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 4c6a69949e274f9bc7b561e9e04b08ba
SHA1 75024a38dd3e803724a62b3e44b96ea2f0cbd523
SHA256 6d440b07ef2f7bb4fcadc4170c56abba0232d96b050b9f2b538cdb70c53772c6
SHA512 c3d6ccd34a8b5c14a6dcb35f48b475129c2e6d99fd34996383ff15a192286400a3589efa590aabaa1e61ba9a34795b26e5066d7fe7794b81d5044c3ad2b8e8b3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5695bc7fa8a6c2fc12f487c456a74006
SHA1 086acc5ea1c92ec6f846c869500b56be3d3ae37f
SHA256 022ce3b3ac5baa4a795102e990feca5aab79c58b6ad8c4059d6049678d2514c4
SHA512 529e5ef0de733256ec8e6455c1ecba201c352a00bf941c338970bef033f4dcbf070bb0152e5406abbd7517c3a86e653e9cd8f34f50a838e2080b5ee19ee7cc50

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 caa666e417a900a9d3656a4e7c754d66
SHA1 024e94aa82eaa77c2ccc842afb933c271fa8b5fa
SHA256 0f990448151d07ac77d2298f920807dca81f1918b70b8fa9dd49f24120d4a218
SHA512 ea19a145e1403e09a4ae47cfdb1480dcb95069f112c9d729c6ddfc2b7556a9abd8d9badbb8a1209c4c12a6dfdf858db96794cca528c93e6952b2e872c611f54c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 50d9a4d929feb824d16469a8fa41da40
SHA1 dee2611425bdc93b0d5399106d478a29c4185a50
SHA256 d468269ded497b45f1ebfe76deb93e7034ecb7fbbf9557fbe4ce292ba5b858cd
SHA512 74eab2d3e1090ef871fde4a3d8f9fe12f0903c4d16fd302de072cd82b3cecfccf16df04fbe62d3ec8e032f0bf275994394eb685da964f1d7631e51bd1fd29484

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588cba.TMP

MD5 26c5531b829904dec4cd99d612d705e8
SHA1 78b3fe1b1b54841097c55f2c83f4e1c17b6e72fe
SHA256 8918a1f92c4bcc0bb82e901c3c9fb8d937e498be923ef615c934fa5e09d928e4
SHA512 4d4b1fa46dd9cb4e3f09b044f987c5fb981f0dfd9aca641c03173cab7f379321f377fad03f382abc1af5e78ba78a552b116975fffe54932f593a8f61aadceaab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 df2362d5be1de6933a5eb1b1054a5625
SHA1 81909f70e374710717a385cdf921ef892532ae80
SHA256 f30719e8d0d70e5ccf2fb25c8fb3bf705db5cfd35afb23faebf24648e6c30366
SHA512 fac8caf9532b19d861e8f66836a68751ba808440d40fab25b52058b622181b6b685c6801e40eb33372563570983422c7a54c924797af942f59cfa8fe3ac9e0fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 8ad71feb1d70b6de7a1269bce3c03478
SHA1 58899f7991360d759f4074521d51f79fcd2ea8da
SHA256 0cd6100b37885be91902fbaf2945946d8508b67de9450f8c0caf13bc76f03ed4
SHA512 94fdc8e84c0266f13a61e61f64e4753b484154c75b2f01a260e8b9e474aa9e1ca70e915071933f51b05cef0093f4c8db23c5cbf5da5a2c03fdfbe51882ea11ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58bb1d.TMP

MD5 27ced0693183a8e0589239c613d4d0f1
SHA1 8e5c09b547957c4e563b1d89c5ecbb5add3c1abe
SHA256 108c734c3feba71ac650f26be9ccb4198f2894f600e263954bfd998e38b3ef47
SHA512 275ffcad746bcfc7f4017a7f82e918a94ec7883560ee5b1c80d3993cecf4924525574d480810c3147b351e78e94898dd9a011082c3456d2f5094011f865aaf05

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 adc13e068b25b68d74ada9bc8fc42c97
SHA1 701944adfb9caf769aa8d79096333329d6d927a0
SHA256 4d91c1d3562a3fdef25813fe05257844930ece93b5214c29d2410622cfa74222
SHA512 527ea278fe979f6e30d8e9c10e106629b1a49bb430050e3ccf4ea63d8d33e423d94dac0c4163a6e66a50f0655ac93bec75607d02221194d3a46bceb23ce77944

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\618a11e7-ad30-4d29-8c43-044c0545623d\index-dir\the-real-index

MD5 e0208ffde274485b970c887c12078d34
SHA1 8d1db5041933f024cda78d1bc0c06cb972718ed0
SHA256 4f964f6fe73f251ea6f5c15561f6c0e8d4fa69579a413ab960177fc47b755b24
SHA512 2a430ef92d3e9ee80d62ca327c35d6e0cf3208ce631b59cc2d7d3bf0ce4a846881bc30f7ec818d1796bf6da711119c58117be355af4fdc9dc9ae1e22a48166d6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\618a11e7-ad30-4d29-8c43-044c0545623d\index-dir\the-real-index~RFe58c05d.TMP

MD5 309672bb39663a86cca0e2efbbfa5c37
SHA1 3c7e85d4379e0fa5e8c6a9a7d97bee7c8256557b
SHA256 a0f81a2335bc964a5e7ef79208f038e1a2e9dddf5ed6c0fb5a2eb920513eb3eb
SHA512 5f3e0f0e5930f595799c7a51f44944d89fd2f8cca4922bcda93c6d41f5fee8b445c4af06e02cff31a4d928f1922a5ab2cf1dd8ab331d342bcafa5d6aec16f10b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f5f08ac7-6ba9-4084-8b7e-b9de6007c574\index-dir\the-real-index

MD5 4add113ec0dfbe6e4eaf9b09e1d2805c
SHA1 a5484424d6af5b798f478ee35add3e045d464bd0
SHA256 1e7239f14c50c89adb476933245fedef912a32fef8e8140e6f8b783fcd8e03cd
SHA512 0391aa4080a92f5364153760e3e6b32647a5355b4ac080a3e6464e12bdd0b92cf26d89cd3fa4999db62632c33268b7d5edbe3429f81dbf7db4f2f56497b3c69e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f5f08ac7-6ba9-4084-8b7e-b9de6007c574\index-dir\the-real-index~RFe58c36a.TMP

MD5 b7f356f08be9dec0c23c9ddf7fd7ac56
SHA1 4eaf865487802a1c73abfd22ba911d63b5b51660
SHA256 49b5902ed6d8bbfbe2aa79d13294e6d39d97e15f9926a15646ed48df4d9bbbdb
SHA512 2d5a710a11bd7780419fa0eb3ec63aed297e4ee661253f52cebc0749379dde10e5ccc55186e5c5f52b6c34ea8617ea3f9354aca52678873aa84494907eadb8d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 7a98aa5540ae64762189c720d569133e
SHA1 203fc40951927b8300a9bef18d6adb2c0fbeaaa0
SHA256 6f3df33cb3f220c905f458e42cfd057985fff2fa97a81b4c248ebff6f3d7fb72
SHA512 e38d219976cb00b7f92464de388f8e08dcfa04e35d008b6637b1dce4f5fff078c3ddccd82edaaab1060685097383fb5e5ab7891ea5105d4fea9a6b1038eec368

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 cf85a5276dd63d533fe1d5b4eee5f001
SHA1 a799b2534b60eacc2595bfce8d13bb2a2fdac360
SHA256 8583c06435de3456759410e5bc7fa4edb428faa213ce6a47df4bae321b557e61
SHA512 023d4d489bd6227da8532d5a9367e3b48efb36c622316e6626144b997473ebe74b2b337616720f68d657449ef86b3f8e6ab9f7ed9cf5939873df4ad45680b9dc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a56e27cc15877a1ede561e187aecb423
SHA1 b7bd88ad5da1aff77a479a75332f4bb39850d538
SHA256 35e1dc7b8e10e9ee9cea42d040f4ea617de4c8298c2c2ae60076538c29f1faf2
SHA512 abea6af4ac50ac91f3b02c4c4478fd614894ea49d5a84979e07f15cde4061ccb050a0ec3e11dded0fda9714221e486526c41bcffc54f69e971c7dac09f150110

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 7ad392e50331136ad4532d28db617503
SHA1 0303ef19ea989b2f44ea86de2a8e19e5033d8bfd
SHA256 b3472d913ba4f566bf105ff62f81e33e8c85df5707079f724656cecbedabab0e
SHA512 6d1ae9e9e5c210a5ef3cbd741bf104ec0a7d23d8837f783e54a7a070593480dc7f6f7436be60f83eee7fc5929054058fa7031fc2f62c8c21af989042bdd2b4ee

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a30d020dcb6be3d3753baba3d817c96c
SHA1 36dc839f1e717c76ee3d700c095beea1674cabc6
SHA256 7950b36585e327ae85b085824db285afceb1487ccf9d79abfe44c139af43bd52
SHA512 9a8a87c0632bd12bd288e3baea268e6297ca13e0939400b89d9c9489721edb087db691c7939fd0d23457215d01b785c00dfa12480877165e71df881692c2cb70

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 aecd7d0f1343452076566416bb13b48d
SHA1 479e70849195e4acbe98cdea2a0e5526dfd3d99e
SHA256 58fa24d095c31427143e0eb477f6f98ef161f0f48a3ecb90d6f34e09d2dab335
SHA512 6c378c2d4217e636577474fb378cb58d07afd857517e27b7ce0ecd750321ad6a6d4d6508f58f32a8dee1fc842c1b8d5a04751c75e91b17fd8aba51fe28e74119

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 a04e17787fc1359b29e476bdf8cfaea1
SHA1 8d03b00ebff9ed984aba686a2d5937af0a0d018b
SHA256 8cc4b3d6d9e3a649002dbeb7931ae31cb432d1a3b6d4702c460f2d65a3e1a08b
SHA512 440e73cf864cef81071127f33c9341215665819d034fa549d68c0693b211e9f89abd4d803fbed9f484d1be5fbcb8b1afce5f33f456c3cc7b7e763b748488e90e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 420ad98cc5ef83111b072c3c944dec6a
SHA1 880a0e17cd6cc5acbf75437d7563be5aab1049f1
SHA256 8a9509f612e508c0b6adc23c624dae660725fa7e3dc5ba531e6be1c83fa09ffd
SHA512 0f670b6c6178a4220e5791fe02d37ae7a2c8ea73afb7310b2bccae5e748b9bdcef2ce9532f683c357c2505557c0a53bf594cc8d8988fe3f12d1cdb678a2def39

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7acfa1f1bffd77d64fd5c6eb5ac8b26c
SHA1 5151d7e6a52a3608cca820ba80c0ccba8da29906
SHA256 3656f05cf6be190e95afed15c60a219177f46b4321019b30ef1ffe3e0ea1b6ae
SHA512 2e22a67fca00e977ba735dd8e2355484519f7f71c2967020e4034d60651ad22cf9270b12bfdc0f5927cf41e42c73eb65394ada8ca28e98296564513f1e54f465

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 5dc6459460a51b18867e225e809c00b2
SHA1 6a03ae4c29bf6cc1d44e4a80734e6abd6b1d1c9d
SHA256 26ebd0078152fd097368f19c9afc0d9a7900f127698c291bd55743c3e723534c
SHA512 0824a5679bae2f06da6bbfb051510af84d5c7675a34f8a899f2bc1f7e7575675ef6d16567486d1e9cf2f40eb2275b5f2bb0d3521801b97e9c01bd20ae04ba3b2

memory/1528-1544-0x00007FF6D55D0000-0x00007FF6D6217000-memory.dmp

memory/1528-1546-0x00007FF6D55D0000-0x00007FF6D6217000-memory.dmp

memory/1528-1545-0x00007FF6D55D0000-0x00007FF6D6217000-memory.dmp

memory/1528-1548-0x00000251490C0000-0x0000025149107000-memory.dmp

memory/1528-1543-0x00007FF6D55D0000-0x00007FF6D6217000-memory.dmp

memory/1528-1553-0x0000025149110000-0x0000025149111000-memory.dmp

memory/1528-1552-0x00007FFBF4090000-0x00007FFBF412E000-memory.dmp

memory/1528-1547-0x00007FF6D55D0000-0x00007FF6D6217000-memory.dmp

memory/1528-1555-0x00007FF6D55D0000-0x00007FF6D6217000-memory.dmp

memory/1528-1556-0x00007FFBF51B0000-0x00007FFBF53A5000-memory.dmp

memory/1528-1558-0x00007FFBF4090000-0x00007FFBF412E000-memory.dmp

memory/1528-1557-0x00007FFBF2A10000-0x00007FFBF2CD9000-memory.dmp

memory/3688-1562-0x00000000014B0000-0x00000000014B1000-memory.dmp

memory/3688-1564-0x00000000014B0000-0x00000000014B1000-memory.dmp

memory/1948-1563-0x0000000000400000-0x0000000000472000-memory.dmp

memory/1948-1565-0x0000000005790000-0x0000000005D34000-memory.dmp

memory/1948-1566-0x0000000005280000-0x0000000005312000-memory.dmp

memory/1948-1567-0x0000000005220000-0x000000000522A000-memory.dmp

memory/1948-1568-0x00000000085C0000-0x0000000008BD8000-memory.dmp

memory/1948-1569-0x00000000080F0000-0x00000000081FA000-memory.dmp

memory/1948-1570-0x0000000008020000-0x0000000008032000-memory.dmp

memory/1948-1572-0x0000000008200000-0x000000000824C000-memory.dmp

memory/1948-1571-0x0000000008080000-0x00000000080BC000-memory.dmp

memory/1948-1573-0x0000000008370000-0x00000000083D6000-memory.dmp

memory/1948-1574-0x00000000091A0000-0x0000000009216000-memory.dmp

memory/1948-1575-0x0000000009120000-0x000000000913E000-memory.dmp

memory/1948-1576-0x000000000A250000-0x000000000A412000-memory.dmp

memory/1948-1577-0x000000000A950000-0x000000000AE7C000-memory.dmp

memory/1704-1578-0x0000019BC61D0000-0x0000019BC61F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dljdznrf.lcp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

MD5 5c6cd96d1005c0ee80129d5d3eb3c662
SHA1 0628c3bb31af41ba0649bb0698a30e51f583f477
SHA256 92dcafec59fccf37f61c55793255fa3ba4e715471cda12a1af187253be2e8aed
SHA512 8b3f12a38635e79e4a7c3e0459a15c0cc7b9e72ec0826307ade09646b0bc7005fb98f904cd7ad4dbb3d07654ba2dc9325879d8e2699b005c58d64bb8de4e6aea

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000003.log

MD5 775b5a03de55172ae60c55e13851a037
SHA1 b64f3ba92c8bee61ba9f3bc3a234dcab3b1c5e9f
SHA256 a4ff483522256388aa8a4f250f0e01fa92b943d68b3f494a5f600a69778c97f1
SHA512 cba84f458b3f82b664df58d170a9a1b9cab846bd2340cd924e6f0348092f404b8a3e15b5a40c776c83a0a20bfec59fba2bbe5fba6c5129582ae0e0963834c28a

memory/1528-1596-0x00007FFBF2A10000-0x00007FFBF2CD9000-memory.dmp

memory/1528-1595-0x00007FFBF51B0000-0x00007FFBF53A5000-memory.dmp

memory/1528-1597-0x00007FFBF4090000-0x00007FFBF412E000-memory.dmp

memory/1528-1594-0x00007FF6D55D0000-0x00007FF6D6217000-memory.dmp

memory/3608-1601-0x00007FF7CA820000-0x00007FF7CB467000-memory.dmp

memory/3608-1602-0x00007FF7CA820000-0x00007FF7CB467000-memory.dmp

memory/3608-1600-0x00007FF7CA820000-0x00007FF7CB467000-memory.dmp

memory/3608-1604-0x000001FF36E10000-0x000001FF36E57000-memory.dmp

memory/3608-1608-0x00007FFBF4090000-0x00007FFBF412E000-memory.dmp

memory/3608-1603-0x00007FF7CA820000-0x00007FF7CB467000-memory.dmp

memory/3184-1628-0x00000256B5F10000-0x00000256B5F2C000-memory.dmp

memory/3184-1629-0x00000256B6350000-0x00000256B6405000-memory.dmp

memory/3184-1630-0x00000256B5F30000-0x00000256B5F3A000-memory.dmp

memory/3184-1631-0x00000256B6570000-0x00000256B658C000-memory.dmp

memory/3184-1632-0x00000256B6550000-0x00000256B655A000-memory.dmp

memory/3184-1633-0x00000256B65B0000-0x00000256B65CA000-memory.dmp

memory/3184-1634-0x00000256B6560000-0x00000256B6568000-memory.dmp

memory/3184-1635-0x00000256B6590000-0x00000256B6596000-memory.dmp

memory/3184-1636-0x00000256B65A0000-0x00000256B65AA000-memory.dmp

memory/3320-1639-0x0000000140000000-0x000000014000E000-memory.dmp

memory/1536-1652-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1536-1650-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1536-1649-0x0000000140000000-0x0000000140840000-memory.dmp

memory/3320-1646-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3320-1640-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3320-1643-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3320-1642-0x0000000140000000-0x000000014000E000-memory.dmp

memory/3320-1641-0x0000000140000000-0x000000014000E000-memory.dmp

memory/1536-1654-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1536-1657-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1536-1655-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1536-1662-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1536-1667-0x0000000140000000-0x0000000140840000-memory.dmp

memory/3608-1663-0x00007FF7CA820000-0x00007FF7CB467000-memory.dmp

memory/3608-1666-0x00007FFBF4090000-0x00007FFBF412E000-memory.dmp

memory/3608-1665-0x00007FFBF2A10000-0x00007FFBF2CD9000-memory.dmp

memory/3608-1664-0x00007FFBF51B0000-0x00007FFBF53A5000-memory.dmp

memory/1536-1661-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1536-1660-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1536-1659-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1536-1653-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1536-1651-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1536-1648-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1536-1647-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1536-1658-0x0000000000EC0000-0x0000000000EE0000-memory.dmp

memory/1536-1668-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1536-1669-0x0000000140000000-0x0000000140840000-memory.dmp

C:\Users\Admin\Desktop\Melonity_Installer v3.6\Source\QtQuick\Controls\Private\style.js

MD5 b7007e95986bf87da8d01cccb5be1a59
SHA1 42542ef3555d9b2a90ead4040381365010374899
SHA256 63e1f4a5e31c74a90bf3323681fc7fcbe0267c84276db5fbc0eceb2c8b63583b
SHA512 aca4bf6698a5aeaa43e800943a9121bdb1224f79c5f14173e5b6f8b88a30169dbb85f9e7104767b6f794b8405164005ecad6c7473bf607edfdaaf9acf8442b20

C:\Users\Admin\Desktop\Melonity_Installer v3.6\Source\QtQuick\Controls\Private\StackView.js

MD5 28c5c99a6c60fbf3a58d837f1ee79a86
SHA1 be2c731443ff067b2af420defce55d0add7fad30
SHA256 2370db5cfa60bc01a044352c0ec414c201beec0243589118962b6e1535facd55
SHA512 d55ec7b3cb5862115c11a9b1a4bbd8c69c5a576467f5eb2e38920ba34a0428d1d785fad12da10eeb0c364c96b4f16ad52458d7a8cc160dc7dbaed17f3e0dae08

C:\Users\Admin\Desktop\Melonity_Installer v3.6\Source\QtQuick\Controls\Private\CalendarUtils.js

MD5 1b0500921ec31f1aa74b5e1945fa47ad
SHA1 de461db18147aaf773d8beb8bd4b09d08898d810
SHA256 52bb237125099dc7ae448d462e4571f06bb7fd4d8a2ebc83bd4a746b3277a0b5
SHA512 7fb58c83dad040ab97ad8721dc8f7c1b104e30b73aadd5cce5cef835e250356f0c4f3632a66e3b2bb0b84262ede1e78a6808cba7de33a5a8d8746c144e331d1b

C:\Users\Admin\Desktop\Melonity_Installer v3.6\Source\imageformats\qsvg.dll

MD5 b496d40dee742690f456547459ac29f4
SHA1 1e09f7fd27aab8365d405a38f66876fa90f6c049
SHA256 e87918ccb5e7728694224d5917a7dd194a719c0398926719d520ceef45fc8d8b
SHA512 4d292f119252b1eeb63bae4d1567c0fc0417b4726ee6aa675651d15ca40c76065cd60e3ed8b3dd766c9d3aa1bced82c6c0faa683ac923b4b3fecdedd4ef126c0

C:\Users\Admin\Desktop\Melonity_Installer v3.6\Source\imageformats\qwebp.dll

MD5 969cb040c642626b5f5c80cce081415a
SHA1 5d89753054515df2c972db8ee70d9e99d62ba30b
SHA256 9ab90d4715ddc08940db3ac1c7fe09e92cbaafb58224155bf1b7b9797356c821
SHA512 aa19a5ca6f9c225bec4ada72370580771310b90f24f98ff3d15dd810090cee95e105ba17510d46fefa7ada1d21f6ad32473494bfd5db635d8b2b0ebab7bf5443

C:\Users\Admin\Desktop\Melonity_Installer v3.6\Source\imageformats\qjpeg.dll

MD5 d987845231298b1d4e618d5921122662
SHA1 57e739f18e793fb6834d62e03833a00ee3053bb7
SHA256 49b4174013c42cb9b600bd1a4eed00dca6629fd23415888491372d5ef3631a40
SHA512 0685f59f08313712ab21c06bdef2b2ddc84f2dd25bd4cc5e010acc615c387fd06e3d24c8b0ca4ecbcd3d20bc1a1ad6c8af90ff8397ac0b0e821318ce64fe81c9

C:\Users\Admin\Desktop\Melonity_Installer v3.6\Source\imageformats\qico.dll

MD5 8ec44d88ae4f50b81e862bd63ce63dcc
SHA1 0d3ae71778193c32584cd3cae87a8b132b34a1d5
SHA256 48bf27e41bc291e105649cab68c452b795bd45f2841ef0a57d95be9a05b4a0d5
SHA512 e49b11ce676e638b5083fbd41e4626a28c7641a2ff1ac2dc3bda3c2e0199e6d2a5784faf3f60c7467705c91712addbc89d75b5aaf3f767d773659e99f2a67cb5

C:\Users\Admin\Desktop\Melonity_Installer v3.6\Source\imageformats\qgif.dll

MD5 0b1c9399e0c843cb846eaded98c95b8d
SHA1 ebac00b027b9c7e87d5ecea5d12b02311985c531
SHA256 bb971257430771b93fea7ac9a708815167c0524bee9fa2e5ba4ed455c6f9b9d2
SHA512 76e8486437c44ce677d3560f4a67bf1f6258ee2a77a9293750aae4acbfbb7b74c4ccce9edd94bb3ed4809cc822dbf9ce2060226ef3ed8f2001be640fb5a7baf9

C:\Users\Admin\Desktop\Melonity_Installer v3.6\Source\styles\qwindowsvistastyle.dll

MD5 eec9a836034504337482df3dcead9cdd
SHA1 53fe236465d5a35dedc64512e4014179561c1217
SHA256 a72d0573a8d135e635480a9d96fe34b2710e6b159e65bb0a47fd2ea09ea008ac
SHA512 a8ae5f93ed3a578320b8651289c1f4d0b783fb0f00f5161c2be685712400cadc049a0c69594574a13192991a1f8b6e289b5613dfe6d8ed2546cfb12edf663634

C:\Users\Admin\Desktop\Melonity_Installer v3.6\Source\QtWinExtras\JumpListLink.qml

MD5 21f160862be9bebc7de91d5768fd3be4
SHA1 e55ebe9e2d12d1b430b66b1ebda0d4af21a68c3a
SHA256 cf099c0ae8c2c6df07c67a45f80793a866ef3833533bb43bc2fb43d612c697aa
SHA512 a236be4a3bbf5ed62bd7d6046766e4fdfca745707521e20c445e03129018488bbe65e36ad566e216f5d2586756fd973586074c5fada69733d83ee2711cf87731

C:\Users\Admin\Desktop\Melonity_Installer v3.6\Source\QtWinExtras\JumpListSeparator.qml

MD5 a390fa5b3b7c6fdf9225f80a5635c863
SHA1 a03aa651b3d74b6b74e531f2e87138558201fc2c
SHA256 0da2b6d2b039efbea00918c46fe8fe4f139117d4d66e959c342a2afe5da31234
SHA512 0a67f63a1aec5ab7720110eeb5aa27e4c6b35faac1ecb0117f70db6a84c8e2b05e924ef4de9a87ed28fdb85c9186a37810b4b91d535f96daf8409123f35b7bd1

C:\Users\Admin\Desktop\Melonity_Installer v3.6\Source\QtWinExtras\plugins.qmltypes

MD5 f32704e3c60a0351f3811f58ce2c500b
SHA1 dac2b2d8a24ca6e6f58a91899a65745180460adf
SHA256 9aec569ce20a50f8e8a0061eecc9786b1f7a21324bd9f6f7161b633ee12ed02b
SHA512 1d0bcd6d30e9bb27d56a38266df4fb8a7fb522ff8faccc53df45225251bd869d27670fa7b0df968ec5878904ace3c4cd948cbf5d8a851cfac96e8d2208dca1f3

C:\Users\Admin\Desktop\Melonity_Installer v3.6\Source\QtWinExtras\qml_winextras.dll

MD5 4af21827e45f56e2b9ef1213b1e26258
SHA1 e10895fedc91d5159fc3793f2780dda3a02d397e
SHA256 aa7fb78aada7c96fcc2142af9fc10a1a1ce3c6cd19ccfa2d5f719c93d38f6772
SHA512 6ed684a6d66fac27ad3f8733942c1bc0caf187274b8694b57f57208f1666d806844d0f4fce0b4a82c14d6d7957a60b7d1b1600dd3fe31bc01e8ff8cc7fa7f6a7

C:\Users\Admin\Desktop\Melonity_Installer v3.6\Source\QtWinExtras\qmldir

MD5 1e25b265956705ce1c38651bfdd0579a
SHA1 ab47fb1518813af29dff4ebc474d52c178ac31b9
SHA256 4e1df2363e9b2963d937fb7699859c4ce144f3e5342d71a6d57eacd6879d8fa7
SHA512 2ef61d2f6396b01117e27d8989fcb698032890e9af4703e1cc34712bdd61c80acf2924a70f4824c5c62b834b9285da89218da9ef5a2afbabb60f471cac742573

C:\Users\Admin\Desktop\Melonity_Installer v3.6\Source\QtWinExtras\JumpListDestination.qml

MD5 d87549cf0f9222d770f2890b62f9e2ee
SHA1 d4298e7093b48825151d144b8c1d411366146264
SHA256 8c9c8f6e19d63dbb637557a3b0139972d4eedbfaaf537aa4527a2087003ffbb9
SHA512 cc8c281f032f03905885f84fd2299d55f5161d565cb93c45d222a56720bedb5436d9f7232462b29eca95cadaaa71c814ccc3086bc304e5fd8857d1e15f0cc0a4

memory/2220-1698-0x00007FF625B80000-0x00007FF6267C7000-memory.dmp

memory/2220-1699-0x00007FF625B80000-0x00007FF6267C7000-memory.dmp

memory/2220-1700-0x00007FF625B80000-0x00007FF6267C7000-memory.dmp

memory/2220-1701-0x00007FF625B80000-0x00007FF6267C7000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5 60ad21e008a8447fc1130a9c9c155148
SHA1 5dfa21d14dc33de3cc93a463688fe1d640b01730
SHA256 bb65e24fd8681e7af464e115fba42ff7713e933683cbd654a124c0e564530bb9
SHA512 42a2753f717a4984967907fa69200e8a464068a6d4a226803cf9503ffb7fee540ffc611b4c905cc84f3623639a6aa93003b390f9c38e601b59f171a9e90bd9b6

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

memory/2220-1740-0x00007FF625B80000-0x00007FF6267C7000-memory.dmp

memory/4040-1744-0x00007FF7ABF50000-0x00007FF7ACB97000-memory.dmp

memory/3248-1770-0x0000028DB0A60000-0x0000028DB0B15000-memory.dmp

memory/4040-1777-0x00007FF7ABF50000-0x00007FF7ACB97000-memory.dmp

memory/3640-1797-0x00007FF62C830000-0x00007FF62D477000-memory.dmp

memory/3256-1827-0x00007FF62C830000-0x00007FF62D477000-memory.dmp

memory/3256-1841-0x00007FF62C830000-0x00007FF62D477000-memory.dmp

memory/3640-1847-0x00007FF62C830000-0x00007FF62D477000-memory.dmp

memory/4540-1856-0x00007FF6F5110000-0x00007FF6F5D57000-memory.dmp

memory/740-1882-0x00000126A38B0000-0x00000126A3965000-memory.dmp

memory/4540-1889-0x00007FF6F5110000-0x00007FF6F5D57000-memory.dmp

memory/2340-1893-0x00007FF7B64B0000-0x00007FF7B70F7000-memory.dmp

memory/2340-1948-0x00007FF7B64B0000-0x00007FF7B70F7000-memory.dmp

C:\Windows\System32\catroot2\dberr.txt

MD5 d0106e3b08103e3e23d9423f0675531c
SHA1 735c0d48072c24d3c68b649c6db43d5b0ec0c1a7
SHA256 fda140431f7e5a547cd833153941ba5771ff06983875cd97f623860f34ffc665
SHA512 82793ff9c1eb91152e0e20708183b37f538ca11b750ebef06ac00a3fe98f808a79618ed59b446813212c91fdc2380e26fefccc2fa41934fb6390dd2ef0343ef4

memory/2980-1982-0x000001B53B6F0000-0x000001B53B7A5000-memory.dmp