Malware Analysis Report

2024-10-10 13:07

Sample ID 240619-gkjd9szcpj
Target https://www.youtube.com/watch?v=s86Ah3TFqO0&lc=UgxqJr11GcrC6PbNAOV4AaABAg
Tags
dcrat execution infostealer persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://www.youtube.com/watch?v=s86Ah3TFqO0&lc=UgxqJr11GcrC6PbNAOV4AaABAg was found to be: Known bad.

Malicious Activity Summary

dcrat execution infostealer persistence rat spyware stealer

DcRat

Process spawned unexpected child process

Modifies WinLogon for persistence

DCRat payload

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Enumerates system info in registry

NTFS ADS

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 05:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 05:51

Reported

2024-06-19 05:55

Platform

win11-20240611-en

Max time kernel

214s

Max time network

215s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=s86Ah3TFqO0&lc=UgxqJr11GcrC6PbNAOV4AaABAg

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\AppReadiness\\identity_helper.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\AppReadiness\\identity_helper.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\AppReadiness\\identity_helper.exe\", \"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\", \"C:\\Users\\All Users\\Desktop\\msedge.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cheat.exe N/A
N/A N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
N/A N/A C:\Windows\AppReadiness\identity_helper.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A
N/A N/A C:\Users\Public\Desktop\msedge.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Recovery\\WindowsRE\\SppExtComObj.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Users\\All Users\\Desktop\\msedge.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Users\\All Users\\Desktop\\msedge.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000\Software\Microsoft\Windows\CurrentVersion\Run\identity_helper = "\"C:\\Windows\\AppReadiness\\identity_helper.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\identity_helper = "\"C:\\Windows\\AppReadiness\\identity_helper.exe\"" C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\RuntimeBroker.exe C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
File created C:\Windows\AppReadiness\identity_helper.exe C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
File opened for modification C:\Windows\AppReadiness\identity_helper.exe C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
File created C:\Windows\AppReadiness\1c7346099e1d63 C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Cheat.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2198854727-3842442895-2838824242-1000_Classes\Local Settings C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\gamesense crack by Zodak.rar:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
N/A N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
N/A N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
N/A N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
N/A N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
N/A N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
N/A N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\AppReadiness\identity_helper.exe N/A
N/A N/A C:\Windows\AppReadiness\identity_helper.exe N/A
N/A N/A C:\Windows\AppReadiness\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\AppReadiness\identity_helper.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\AppReadiness\identity_helper.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\gamesense.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4472 wrote to memory of 4832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4832 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4880 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4472 wrote to memory of 4876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=s86Ah3TFqO0&lc=UgxqJr11GcrC6PbNAOV4AaABAg

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc30143cb8,0x7ffc30143cc8,0x7ffc30143cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,10733165766145013014,15155118774781077952,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,10733165766145013014,15155118774781077952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,10733165766145013014,15155118774781077952,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10733165766145013014,15155118774781077952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10733165766145013014,15155118774781077952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10733165766145013014,15155118774781077952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10733165766145013014,15155118774781077952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1948,10733165766145013014,15155118774781077952,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5128 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004CC

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,10733165766145013014,15155118774781077952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5916 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1948,10733165766145013014,15155118774781077952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10733165766145013014,15155118774781077952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10733165766145013014,15155118774781077952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10733165766145013014,15155118774781077952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10733165766145013014,15155118774781077952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10733165766145013014,15155118774781077952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10733165766145013014,15155118774781077952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10733165766145013014,15155118774781077952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10733165766145013014,15155118774781077952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1948,10733165766145013014,15155118774781077952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6560 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\gamesense crack by Zodak.rar"

C:\Windows\System32\DataExchangeHost.exe

C:\Windows\System32\DataExchangeHost.exe -Embedding

C:\Users\Admin\Desktop\gamesense.exe

"C:\Users\Admin\Desktop\gamesense.exe"

C:\Users\Admin\AppData\Local\Temp\gamesense.exe

"C:\Users\Admin\AppData\Local\Temp\gamesense.exe"

C:\Users\Admin\AppData\Local\Temp\Cheat.exe

"C:\Users\Admin\AppData\Local\Temp\Cheat.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Surrogateprovidercomponentsessionmonitor\fwEx1nOnvkg59k8ditiCSLvZ.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Surrogateprovidercomponentsessionmonitor\8dC7dWURSvVb5jH3vbVWqYn.bat" "

C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe

"C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "identity_helperi" /sc MINUTE /mo 14 /tr "'C:\Windows\AppReadiness\identity_helper.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "identity_helper" /sc ONLOGON /tr "'C:\Windows\AppReadiness\identity_helper.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "identity_helperi" /sc MINUTE /mo 5 /tr "'C:\Windows\AppReadiness\identity_helper.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Desktop\msedge.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppReadiness\identity_helper.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SppExtComObj.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\msedge.exe'

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Русский Manual.txt

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TxzBVPDJKX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\AppReadiness\identity_helper.exe

"C:\Windows\AppReadiness\identity_helper.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,10733165766145013014,15155118774781077952,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4800 /prefetch:2

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Users\Public\Desktop\msedge.exe

"C:\Users\Public\Desktop\msedge.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /0

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com tcp
GB 172.217.16.238:443 www.youtube.com udp
GB 172.217.16.246:443 i.ytimg.com tcp
GB 173.194.183.135:443 rr2---sn-aigl6ner.googlevideo.com tcp
GB 173.194.183.135:443 rr2---sn-aigl6ner.googlevideo.com tcp
GB 172.217.16.246:443 i.ytimg.com udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 135.183.194.173.in-addr.arpa udp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 246.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
GB 74.125.175.136:443 rr3---sn-aigl6nzr.googlevideo.com udp
BE 74.125.206.84:443 accounts.google.com tcp
BE 74.125.206.84:443 accounts.google.com udp
GB 142.250.179.226:443 googleads.g.doubleclick.net tcp
GB 142.250.180.1:443 yt3.ggpht.com tcp
NL 74.125.100.71:443 rr2---sn-5hne6nsz.googlevideo.com udp
GB 142.250.179.226:443 googleads.g.doubleclick.net udp
GB 142.250.179.226:443 googleads.g.doubleclick.net udp
US 173.194.140.9:443 rr4---sn-q4fzen7l.googlevideo.com udp
GB 142.250.178.10:443 jnn-pa.googleapis.com tcp
GB 216.58.213.6:443 static.doubleclick.net tcp
GB 142.250.178.10:443 jnn-pa.googleapis.com udp
GB 142.250.180.1:443 yt3.ggpht.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.200.3:443 www.google.co.uk tcp
GB 142.250.179.238:443 play.google.com udp
GB 142.250.200.46:443 youtube.com tcp
N/A 224.0.0.251:5353 udp
GB 142.250.179.238:443 play.google.com udp
GB 142.250.187.196:443 www.google.com udp
US 173.194.140.231:443 rr2---sn-q4fl6nde.googlevideo.com udp
GB 142.250.200.3:443 www.google.co.uk udp
RU 87.250.250.50:443 disk.yandex.ru tcp
RU 77.88.21.119:443 mc.yandex.com tcp
RU 178.154.131.215:443 yastatic.net tcp
RU 178.154.131.215:443 yastatic.net tcp
RU 178.154.131.215:443 yastatic.net tcp
RU 178.154.131.215:443 yastatic.net tcp
RU 178.154.131.215:443 yastatic.net tcp
RU 77.88.21.148:443 docviewer.yandex.ru tcp
RU 87.250.250.50:443 disk.yandex.ru tcp
RU 77.88.44.55:443 yandex.ru tcp
RU 77.88.44.55:443 yandex.ru tcp
RU 77.88.21.179:443 ads.adfox.ru tcp
RU 87.250.247.182:443 avatars.mds.yandex.net tcp
RU 93.158.134.90:443 an.yandex.ru tcp
RU 93.158.134.90:443 an.yandex.ru tcp
RU 213.180.204.158:443 storage.mds.yandex.net tcp
RU 93.158.134.36:443 favicon.yandex.net tcp
RU 93.158.134.90:443 an.yandex.ru tcp
RU 213.180.204.158:443 storage.mds.yandex.net tcp
RU 195.209.108.45:443 ad.adriver.ru tcp
RU 77.88.21.127:443 downloader.disk.yandex.ru tcp
RU 77.88.17.51:443 s532vla.storage.yandex.net tcp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 172.67.206.236:80 729231cm.n9shteam1.top tcp
US 172.67.206.236:80 729231cm.n9shteam1.top tcp
GB 142.250.179.226:443 googleads.g.doubleclick.net udp
GB 172.217.16.238:443 www.youtube.com udp
GB 172.217.16.238:443 www.youtube.com udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 418d6ae7018df9202508b29666d4993f
SHA1 2fd78bb51a43911f6f27be12f93c8ece7a432736
SHA256 4a317030c5028d1506a634eda4cdc84ae69621e596278c935899aadb89be824f
SHA512 e47f9aebf117c0a96776ef48e2f7edce14ff08a63920ed899da695a1b1ec1b5e73f23674e3ac387e396561194d67e505f3417056214318f8c83af879754de0ff

\??\pipe\LOCAL\crashpad_4472_TXWMQGORFOUPDUGE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3e55267c0fbda9d8df06b42d3b78760c
SHA1 160676e944f686f75f960c30b0f3ff603467d5fe
SHA256 d03b831f28544786739b84a32aa015a3f760b4e0b26cb5777fe55f4678d6aa8e
SHA512 1a280b569189d3ce02b7fd9a53c0085f8f5a8a1f13c0f00c8aee23dfbd042bac5b2c0d3e64cc5a420dcca9a20bd1bc4c1be262343effda8f109de874cdd63ac4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d2d50b2b26193b067ab7387c789e9a1a
SHA1 d7a2028b5d8a9097b2669653053c355d52e507c5
SHA256 c2cf8d932e250653c2405b61c446b7a5ac73daabab18d225ffd6dda54672bf5b
SHA512 446a97a17d800ac67b3ee9151d9b6c2de3c5e2e10bafe1dae680abdaed5ad94fc05a36d1cbc492473cacb4fe546b904309587d50a2c6f40185bb459d877dbfbb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 99e6f5eb45ff6d21d7e953f760b2cd05
SHA1 206a27a702dccc6e3120a1fba73938619376d43f
SHA256 27f6a7b7adce7176730122b66330b629886d75e61966b0b392b96f96eae6a1be
SHA512 ed04a2d928b4d5df60db8f4dc5e11903b0f28b318c4f5da7eee5a9792edd26191eccdbeac8b46fd404746c6ec122c60f6963c85fbbefaa0c76a42cbfdeea77bf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 e7f96deac388363ea7ebbbbe33fa738a
SHA1 9a96c64ed0da6872ba29bf88376c35656c58eea1
SHA256 c6dc6fa81a9302661074279e8755d77569ea9caf1aa8c845e03d09e2d01e8bab
SHA512 62a1bc8111f31465973fb8518eb0aad8dca90221368c7fa91c92fd853f9d63e94cbb8dab69d12fa417a1f9dc1dfbb669f61e9f47873950e9eb5f06302890810f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 943aeb799723c7f291fe7872f2632d50
SHA1 068b6444ec3bff32ee28631037e00e35d22828ec
SHA256 eddae44774a015ea2430cf8918f7227de296709bab39b6755c8747d877548e17
SHA512 c8264d766e6752165622fcbace6af76f393e6366ac054f2f542831fa3ef06e7785f515e7e10b9b7a4a0f34e86fbb342540c9fae2d8c8c1d9abfc0013b9e61922

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 4ee4247ec4a940d649eb49bca67bb534
SHA1 d594f33a0e2bc44b9931539088540d9e79709a8d
SHA256 d12642032fd3276c1d65d2a3dbe5b40e1a958516fea6359d977ed1fc1496fa8c
SHA512 d4c917bb034810a7d181a0b8305b9a5ed7da42043ea86f86a3e90eaf277bc9357d41ac9a41661b26ddf11558e6f3c9924e2335dcc888c8db546ada4bdfd2e9d3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7511e48222cbef0baa990bbf96211398
SHA1 aaab9cf5061c0d51eabb464eca6ba749b3f82520
SHA256 418b70b456bd59f93da8e7263961f0d98a26c4443e741060125e2a8e3af362df
SHA512 d43eaaa8f852ac239fc68b7e15fc5365f49dcdaf9c9a0e2bae9f594596f4eb20653e1992326a76a59c8ef87790f538b406c7068f1886db4fe74223c5e4e54995

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7158ff4ae001077bf75f969642178648
SHA1 f4d7a48464d581ebd2bbb85d00c48ee2e36541b6
SHA256 af57e4c7e787150a46df9c6975f57a8e0e8d6160e8b602daa801382d79ccbb3e
SHA512 d5e2e7053fd9819828e2ad25e623fe93fa7f0cd8602c91bcbff66dc5a28ae8431852f7fb5aacf5852eca0a397b173b6fb854e8e55d24713093d2e297ab59a6c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 a6b7032b73481036ea61cd30e523c833
SHA1 775b0d5ce950434d0fb4bf65747691376db91510
SHA256 97c419f8cde56ee053ae721766d13f0d997f30a16e969ec838c7e0a243f3d8be
SHA512 23f87e252a4182e166f43189a8079cdee6dfa2f06608ffa0e40129d575343021adecb2f7512c074a946a79f4dd0826581582f4630f436c37022be384c5edfa83

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 35db687e85bbdc5b8f8faeecfdabc3f9
SHA1 127e816263cff2d1476093e0d0bf768f9d4d68c7
SHA256 02ad26cf251dd2b180b12ac33cef1b3252e6bdca155bcf1e838874fa24c948ad
SHA512 160bd1549861846ae28f381bc0baaa165c8e2fa9a3679296d98952cade62dea2ec623f304f9cbd41fd7a389292244890c10e6f51a4e6b76e7eae2da9fd20c7f8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe588cda.TMP

MD5 0aee6ba2c5fa7b461072b1848de28ed5
SHA1 06dd7b3ebbb986c66632e2dfb3c94ef53301f957
SHA256 6b01b4c331b48d514f78a2081287a8f1c57c442b9417a24b35e5791c0f841b42
SHA512 070cc71fb69fd26a0785a40856210258e496cae0f7eb9d4875296c0ea9a2f2d90e4cc2b49e6921c270facdb5710d410e01bd5d1c307fdb57160b2e09e9d6f007

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\9ba6acb7-474f-4db9-8510-53f5c1c946eb\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 2f2514c44783aa0c7d6ccb801ab8cdd3
SHA1 c1ea8587dc0a6046157d1a106a90bae2f39f7a98
SHA256 d8329c3f69e29a3320bc958811dd7915f68a90437473049616fbc05c2921eb98
SHA512 e4be466b9b927115eb0c4e0821f4c3938a93e4a318227e036e0424b1ad03210d16bb63f1a5fca0545c97aa8cdd3d9adb4f554147394f371decebbccb41f35c00

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 3a6e7ee4253c1924ba1fe03769ad669e
SHA1 a3f3ca7df012d3ff157e20f871ab15c86e02df4a
SHA256 0b937499258f2daf197c1e397b727256eb95c0be9e08945319c21a1436972d2b
SHA512 26a5f73c3d2bfe040f05347c986c2b0d665b5e0eed36f0589b561ecca08315441d2783df278d77ff4e4e1629c0cd8a511aa029cf7f08972cfec29d16efeccea3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\dd95c665-d3ad-4e83-9ff2-ed6a579a060e\index-dir\the-real-index~RFe589bbe.TMP

MD5 a3684cc7f3f76531ef3e202dc711378a
SHA1 6acb8a530d6df874ea65c271fec0b61e0bdcb51b
SHA256 335778bb10432385b4df4d51545d776379ca30086c76aa4413cf9628a1bfe245
SHA512 b7cb505a36266157abda2ce961367727a7552283ace010d2d5fa265f36ca6d5e74bbe9e8715c72c2170a9ccc0d7770be509b8b02f809c0d1030fb2a4851d9f6b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\dd95c665-d3ad-4e83-9ff2-ed6a579a060e\index-dir\the-real-index

MD5 a3a94b4f83a651c734c9061db53f0a65
SHA1 2184dbf093aa4738a12d2b07bac69fdf4bd0d67b
SHA256 de231770213471208f6f55468cb57a19539be289f8eb6d0c8f51f3a04f0b89f9
SHA512 683e1d2587d9eb006330fb282ce0379934bdf40992b3c75e81efb246ed9761711771636af7b49fd900d354a9b1202a8954914d8b29c5062f89fdbda8655ab1ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 cc66b9231575521cf5f45edc5c6bebbc
SHA1 c9774f604b513d19ece4a6630ac1a24bd6e7d5eb
SHA256 516fcc631b485fb9b9bc2b88358fe5f22131238a0301c8b3df00303c34b945b6
SHA512 2ba634f7669bb569ad4ac5a987d1c375e8967beeaea2443a28fb180016e448e4698732ac51ce44c0b5dbb63cf159b9080750b3a5b0c87fd0534adb3132d030e1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a6ab.TMP

MD5 35fab3f6675ca2205df7aa8bfab06965
SHA1 7ba4f7926dac087e0a049908c2fa86b0767b614a
SHA256 775a6643545022ca06e260ab9ff06236a7720a81c638d629cf1ca1fd38d122eb
SHA512 cba924529f67024614d9cf68169d9e22b1a3d481fedeb0ea6af69d04a201bb7907d5a249d38ff99ad5a6c33be0a2b771149fbfa06286f139f80b3d881064c1fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 104a5c6dd94e1779ab9224377eea2541
SHA1 8be80e991acbf0161a67611ae4baf8d9cc155ea0
SHA256 9bec651786e27e3000b1e9cd8932d5649e17f35c4f277297d98401217cf2a5e8
SHA512 56f13f398925a018f144c87bda1b3883e0327caffc73b0c03b6b2511457b2d1bbdc3aa90ea058ec35ac11e77c3a000fdf835465717abcfb5b238d6c432a36329

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

MD5 97ad0b8634b6564f71b76098b702611b
SHA1 c29ea74a4564b5a73ec0001973c81a61851a1c68
SHA256 c9c750c011d73fcc086d165c9f1020de2bb4e8f0c02cc0b84e40c77ec3f22f3f
SHA512 164a1c30730e4a32ce9f3047e4e662cf09ed7d3e737841df4118f1d07128df7e6fabccb61ff3694d8deda34c8cbb0ad1d5da07ef1a0949c47c807cbd2b41c1e5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\417736dd-d942-49ae-9ca3-43aa77518c0f\index-dir\the-real-index~RFe58caae.TMP

MD5 f9026a13b97e57aab9d48aee16fa0990
SHA1 7bf3c80e04378899102f7b75cd4ba52319948d59
SHA256 f507e4c16310e90030ad3c15778dcbf2a64fd1fc2982f34bde234ae8f0e117a6
SHA512 552e0a9f4cd290eb1b570ed82a7006353e6a5d105b64f4b4c928f0e62fba7b0b7a6162225fdbbdfff6badce3e603cfaf19cbc21afd940442510514555a553d9d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\417736dd-d942-49ae-9ca3-43aa77518c0f\index-dir\the-real-index

MD5 e6dc374c0ec1a320db9a3720e4eb0f09
SHA1 dfa32fb43eead820552835932e04bc4883becc38
SHA256 d0baa24d78d5fb454c5acc0ec1d8603066fe07c9fa6eba08f68e407bfd94e9b4
SHA512 b7b6ae575d2bfadb476c0f3405e3e740e30312384febde31ad2ac46aa966505d505c30ec017f37da5ea8146824ca87fbfa940c41e90cbad42f0978385f9efd2f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 d8d95f58fe423bb91ba9e2ac9f7341f6
SHA1 a752211bd058b041cbb2ad98e411f45d31577ff0
SHA256 94b5a44430d41229c8aa484ca741904580effd649eb360313e22d270fcca2692
SHA512 2eb6628a8bf04205481b6c138f00be96dcdde24ca6e0d6e31dd5b6f9560e643b268d19c468762e551ce3fb003510d31b6e2561658a8ebefdd47601b27c1fb24f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b4669e003115d3d1d7ca0533a7da5d04
SHA1 b0c9c7e72d9069382d34c5f76cea09808d87a42a
SHA256 2b7b580bcb8b811814e3039d6e9a7dfc269a87a16c4f7b1bb5b134597536b207
SHA512 a3cf5ff58140919ffc1d399155ccfcdd6d341d5ddb2594d9c80ad172be0023b8e6e6d1f7a2706ccb087498f3ad3839800a38b7ee62a2b9bd27ab3bf107ba03fe

C:\Users\Admin\Downloads\gamesense crack by Zodak.rar

MD5 c67382f4fdd3ef483864a1ef1bc9f6de
SHA1 fa6852f6f15570f8d79ee8ea552229211263771a
SHA256 d1fb67f27c1026570ab246e1811ab5ea056102aca8aa02626b9bbdf3b19e94d5
SHA512 bc23ed9d6a57f49eab55683cc75e500859eb6820aa9f631218a14a0601abe494449f149ab6f72bc7036f3db1eeee06794f65f502bf9b61739af7619b4d2d15b4

C:\Users\Admin\Downloads\gamesense crack by Zodak.rar:Zone.Identifier

MD5 42a1efe22bda1b85a69dd5f05134fe6d
SHA1 9fb918706b02e08b5e31c75f9d47814ee99f16af
SHA256 391ff6ec5c367b0686a656bd85bcabadbc0aa693284fe32f32c503ce8419b7d8
SHA512 709a9a3d56fd5e7bcaad91c7c28073c03d220b6739bd85f1548d04cd0c91de9fa046027a94ad8cbf4ced37f1ef0655778a95f99305551950f185e0b9a7c6038e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 c3cdea7048a57fb38bfdf1149d4fac23
SHA1 587b3703ee00da73c2729e5536d1bed8a57f4a75
SHA256 d0c084507259e6fc5b568248a7ac2cc18f1c0e4fda367cbabcde8e388d08a442
SHA512 417dfb051cb5454871a60e859319baed0a30a56fa5765da75b1e5be1a2b092f5ad04e3c9f964d271e5dc5ca34d54f187e74e65744a7feeb551d01f1fc64bbfac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 a3100ecb005d3ba4002dbb3aadfcfe0c
SHA1 554ccd5b695c0e8f02a40e69e0d6bf46a485132f
SHA256 8e84c9a993d1b38c18c0e27de7c46a046f3375d3875209562b263ed60f572ad4
SHA512 38752c0e775d414b476ed3847704b7a78dc08c8054b8b936c272b045797be3fabc861f24f667655f8149fc749bcbdfe7bfbc729214bc66e3fa5dcdba753e9db9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 933bf4f111f28875876d0b50316b1d6d
SHA1 87574f7dc4e1bf59b41a2c721a6415ea44912cdf
SHA256 69c1a133219742a76d90122c252cdab885c8ad8da5828409e11ebad13315e1d6
SHA512 9f9caae69fb99f2b6ae11084bd251c77276719e667c330330f573209d68feadc59bb886dee08ea2f63f53774b1ff0b129d9f19bee9fda1758760ed62f6bf5e86

C:\Users\Admin\Desktop\gamesense.exe

MD5 323789d025dacb3271560ec6828f3599
SHA1 45d8f4e2e6fbc2208d0b7504312278cd9906a6ad
SHA256 91b6898be40df462f6fa6ec29737e95c8d0186db9a002900e258d454f2245caf
SHA512 268466bd8c57e9a68cbd4cdc6991985384f438e531a913078ff9c0c1ebbbb23e335987ffd1f6085f2e1b624b6a2f9105e29990db6ad2791bab0a57cb43798d9e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2b6f5549b5b1e2eefad7b352097ca2ec
SHA1 d0755e2cbbc52610db2420f1f61c6e84108847ef
SHA256 775fe45590ec19aaf9d0a5bae76bf742c51e9b665ecec2c365f1b33e85032bb4
SHA512 a9eba23ff4b7530a741dab72a30e822bfe989c1e9a9d3449221ea6fedcb11a06e70e4839db2e32be6606b20b0be94a01c8dd94f4017c9277913be0500ad66597

C:\Users\Admin\AppData\Local\Temp\gamesense.exe

MD5 87ced90d1ad4e72a9def424f60f18c27
SHA1 9327a6ec09d704d1d69ebb40a73299e1385b8090
SHA256 4f8b135158323aaee7cb5fef4b2909b8eafb1ff54820444be8f20425bb6b90f0
SHA512 7f39eb3b546042d457274564697e2a10efc1f66eaa23932945f7beaeff46eff48e1f372d6f5484fa6f639c39bcba0a023780ee83f06af777942aca4bdc1eb5c9

C:\Users\Admin\AppData\Local\Temp\Cheat.exe

MD5 d5408d1092441ed52a431df47c047975
SHA1 060d1a490b34f40a9c153688bb88c5f54ca28412
SHA256 2b79c39c63ede2f31c74667ed07ae2633eda11b9a4199631c9418ec5f88f9416
SHA512 3bda555d052e115a695c0781f8b058085bcb0be7b97475c9013033b920995721469be4b0d66574fac98c528803aa34f5aeca07c7799da41c170c24475acc23a8

memory/392-981-0x0000000000400000-0x00000000005D7000-memory.dmp

memory/3528-984-0x00000000000F0000-0x000000000011A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4e763fa67146c935f04a3f817182f295
SHA1 02123bca65924990edc3933dd00089ddfe27dc68
SHA256 7fe75d7c8aa989b406bf6eb41bc444a2d70a272e77ed351ef2e66a185d5d72d0
SHA512 dd2c1221982df2eef27e5da2665f0b2bc624f26af6f6a2d3bbd6cc4de4db666282481dfc31b442b797f4e97321e3ec307276e1d515626d1eb6ce9dc2d3b8c56a

memory/3528-996-0x00000000051B0000-0x0000000005756000-memory.dmp

memory/3528-998-0x0000000004C00000-0x0000000004C92000-memory.dmp

C:\Surrogateprovidercomponentsessionmonitor\fwEx1nOnvkg59k8ditiCSLvZ.vbe

MD5 fb592bbe3c116ea02c33f03b27256684
SHA1 7363984c79027be50b7e0b540e651b2cd6f4c7fc
SHA256 3b1c67da4dc71e19baedd2b111ec14afad377b138e6904bbebc1e682d514a983
SHA512 51903e540edb738f520c2b2d4946f16ecc4c153ee1ec3b585d37f4b11cfea220598b2958c6509e9202c93da0f578ef4056b0ae2737c5aba237be95671041f7d5

memory/3528-1000-0x0000000004BC0000-0x0000000004BCA000-memory.dmp

C:\Surrogateprovidercomponentsessionmonitor\8dC7dWURSvVb5jH3vbVWqYn.bat

MD5 6de687cf7ca366429c953cb49905b70a
SHA1 58e2c1823c038d8da8a2f042672027184066279e
SHA256 80d02a1cb8e68ffbc609a6c4914600604153ce929d46994200f837d354a5a611
SHA512 6bfa7a07d6adf167458cece0ba3a110479ee7677feb58c0ae9ba5c8913bcdda13664060ce0261abc1668c18831d5c73f6bc570be8595323d46704b810fc024ef

C:\Surrogateprovidercomponentsessionmonitor\browserwinsvc.exe

MD5 774fc5ad85ff47dc68b61028c2689562
SHA1 01682ac31b13d45d6264491c9f2344ae6231bbd7
SHA256 cd7e2fcf8b09dbb7cdfdd6cb0d72c16708bb24888db7600d2dcbd56e4b26d7de
SHA512 237a6760a021d1876702922320b7fea42a4c4e12465392f5a56094494ebcf58c0f6167e2935fdc9c6e92a6414166be0e38c4ad77df411875baca2fe79f0aeceb

memory/4408-1005-0x0000000000C30000-0x0000000000D92000-memory.dmp

memory/4408-1006-0x00000000015D0000-0x00000000015DE000-memory.dmp

memory/4408-1007-0x0000000003060000-0x000000000307C000-memory.dmp

memory/4408-1008-0x000000001BAB0000-0x000000001BB00000-memory.dmp

memory/4408-1009-0x0000000003080000-0x0000000003088000-memory.dmp

memory/4408-1010-0x0000000003090000-0x00000000030A6000-memory.dmp

memory/4408-1011-0x00000000030B0000-0x00000000030C0000-memory.dmp

memory/4408-1012-0x00000000030C0000-0x00000000030CA000-memory.dmp

memory/4408-1013-0x000000001BB00000-0x000000001BB0C000-memory.dmp

C:\Users\Admin\Desktop\Русский Manual.txt

MD5 a497f67aa133c4da46e04970f0b4c450
SHA1 87796285263ab635459d75521eff7c20c2ae966c
SHA256 92283ad98ee4731f7be5e02d57d553b0a86b4b22cd2703bc94f7f3f09cc5fded
SHA512 9321d3a929f2bcb8f0772999a85efaf692c1791ab7420e5f8c7f6f77f457a2984f968a2eb6100da7a3423d836370e6719bb438d9576d19477633c4b78698d0d7

memory/2020-1030-0x000001DA44FC0000-0x000001DA44FE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3lqpkzw4.ub5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\TxzBVPDJKX.bat

MD5 57b80eec166611b941a87754b01edc87
SHA1 fcd0077960446d7d07c435d9eb240028dfbecc23
SHA256 1144b7bd3d7c59e358c49e4ff2be876ca33799686654d1cef6f80cca135f4e0f
SHA512 046a9c32280d77b59e29e7fb4627411f891838c84613e40718cecc4269ceb5f7e90618c36bd69d7dc869d0dfaa40c9370ec233548dc44f74aee928d235163c03

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e3840d9bcedfe7017e49ee5d05bd1c46
SHA1 272620fb2605bd196df471d62db4b2d280a363c6
SHA256 3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f
SHA512 76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA1 9910190edfaccece1dfcc1d92e357772f5dae8f7
SHA256 0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA512 5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa4f31835d07347297d35862c9045f4a
SHA1 83e728008935d30f98e5480fba4fbccf10cefb05
SHA256 99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0
SHA512 ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e43b2cd654b865b974061439273efdda
SHA1 cb1d14fe450e88d9c3e4fbefcd9b2ad727983fad
SHA256 d6c2f568cf61ca6e7c07aab0ca37b4ccba209f0d671ff8dfd9d4f0ee48578c42
SHA512 534bc3a5b1c435f29ad60e2c496c790e96c6c528f4e11b90f8be526ab1658bff502dd5c40a6a69bd812f2cd6924c6773fc7c4c26a508ad4f87ad85e0ae713153

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

MD5 c29d83041db39424c38e93efd6fbe041
SHA1 f7e2595677c749b7d6a3dfb8047090c9d196a736
SHA256 c3acd422ae93bb5df0899fb1a2fa10517d209b19d2b6e7a46fd4348899ff4e32
SHA512 d7d8b97dddbec6954ad5a085311aa1fddcd89bd1d0e70c26670c8d92620747243579027bfb4211d82ff0327c17903678558faa3b23c02a1b6c8fc877f2f42c22

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 34ec70b32304fccb3704d6b9d319f8e3
SHA1 4f2242a5515cd8cceb9058ebf60e4890f3a36edc
SHA256 44ad80016ddbfa3d5a5a62ce828e70aac005de0e035137045af6c6c9871e36e5
SHA512 6e49eadff954ecd6a68bcf4b75afc7f22336354eb202e48e99d8ad6e3a1aa53f48dfc29be34d83787faacec5cd67e19af02ac66ec7b9aa881b96cad58def81f1

memory/6356-1152-0x0000014C0FB00000-0x0000014C0FB01000-memory.dmp

memory/6356-1151-0x0000014C0FB00000-0x0000014C0FB01000-memory.dmp

memory/6356-1150-0x0000014C0FB00000-0x0000014C0FB01000-memory.dmp

memory/6356-1162-0x0000014C0FB00000-0x0000014C0FB01000-memory.dmp

memory/6356-1161-0x0000014C0FB00000-0x0000014C0FB01000-memory.dmp

memory/6356-1160-0x0000014C0FB00000-0x0000014C0FB01000-memory.dmp

memory/6356-1159-0x0000014C0FB00000-0x0000014C0FB01000-memory.dmp

memory/6356-1158-0x0000014C0FB00000-0x0000014C0FB01000-memory.dmp

memory/6356-1157-0x0000014C0FB00000-0x0000014C0FB01000-memory.dmp

memory/6356-1156-0x0000014C0FB00000-0x0000014C0FB01000-memory.dmp