Malware Analysis Report

2024-11-13 14:19

Sample ID 240704-wbwessshle
Target https://www.youtube.com/channel/UCCmzcphyrH6Br5eNUnQR2mw/about/about
Tags
lumma xmrig evasion execution miner persistence spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://www.youtube.com/channel/UCCmzcphyrH6Br5eNUnQR2mw/about/about was found to be: Known bad.

Malicious Activity Summary

lumma xmrig evasion execution miner persistence spyware stealer upx

Lumma Stealer

xmrig

XMRig Miner payload

Creates new service(s)

Stops running service(s)

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Executes dropped EXE

UPX packed file

Power Settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Program crash

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies data under HKEY_USERS

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-04 17:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 17:45

Reported

2024-07-04 17:54

Platform

win10v2004-20240508-en

Max time kernel

510s

Max time network

511s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UCCmzcphyrH6Br5eNUnQR2mw/about/about

Signatures

Lumma Stealer

stealer lumma

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence execution

Stops running service(s)

evasion execution

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\WmiPrvSE.exe\" " C:\Users\Admin\AppData\Roaming\1.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\WindowsManager\update.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Roaming\3.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\WindowsManager\update.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Roaming\3.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\WindowsManager\update.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Roaming\3.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Program Files\7-Zip\7zFM.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\1.exe N/A
N/A N/A C:\ProgramData\WindowsManager\update.exe N/A
N/A N/A C:\ProgramData\WindowsManager\update.exe N/A
N/A N/A C:\ProgramData\WindowsManager\update.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\WindowsManager\update.exe N/A
N/A N/A C:\ProgramData\WindowsManager\update.exe N/A
N/A N/A C:\ProgramData\WindowsManager\update.exe N/A
N/A N/A C:\ProgramData\WindowsManager\update.exe N/A
N/A N/A C:\ProgramData\WindowsManager\update.exe N/A
N/A N/A C:\ProgramData\WindowsManager\update.exe N/A
N/A N/A C:\ProgramData\WindowsManager\update.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Windows\system32\dwm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\3.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 1088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 1088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 3488 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 5104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 5104 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2388 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/channel/UCCmzcphyrH6Br5eNUnQR2mw/about/about

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0x108,0xd8,0x7fffd7e046f8,0x7fffd7e04708,0x7fffd7e04718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5884 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3b8 0x3b4

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6384 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6224 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,15877394152916714666,11070102119442013819,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 /prefetch:8

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\UnivMenu_1.16\" -ad -an -ai#7zMap24635:88:7zEvent19768

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\UnivMenu_1.16.rar"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\notepad.exe

"C:\Windows\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\7zO0D37775C\_RDATA"

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\UnivMenu_1.16\" -ad -an -ai#7zMap23574:88:7zEvent30149

C:\Users\Admin\Downloads\UnivMenu_1.16\Loadkeqwkedkqwekqwek.exe

"C:\Users\Admin\Downloads\UnivMenu_1.16\Loadkeqwkedkqwekqwek.exe"

C:\Users\Admin\AppData\Roaming\1.exe

C:\Users\Admin\AppData\Roaming\1.exe

C:\Users\Admin\Downloads\UnivMenu_1.16\Loadkeqwkedkqwekqwek.exe

"C:\Users\Admin\Downloads\UnivMenu_1.16\Loadkeqwkedkqwekqwek.exe"

C:\Users\Admin\AppData\Roaming\1.exe

C:\Users\Admin\AppData\Roaming\1.exe

C:\Users\Admin\AppData\Roaming\2.exe

C:\Users\Admin\AppData\Roaming\2.exe

C:\Users\Admin\AppData\Roaming\2.exe

C:\Users\Admin\AppData\Roaming\2.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

C:\Users\Admin\AppData\Roaming\3.exe

C:\Users\Admin\AppData\Roaming\3.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "WindowsManager"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "WindowsManager" binpath= "C:\ProgramData\WindowsManager\update.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "WindowsManager"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\3.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\ProgramData\WindowsManager\update.exe

C:\ProgramData\WindowsManager\update.exe

C:\Users\Admin\Downloads\UnivMenu_1.16\Loadkeqwkedkqwekqwek.exe

"C:\Users\Admin\Downloads\UnivMenu_1.16\Loadkeqwkedkqwekqwek.exe"

C:\Users\Admin\AppData\Roaming\1.exe

C:\Users\Admin\AppData\Roaming\1.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Roaming\2.exe

C:\Users\Admin\AppData\Roaming\2.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\dwm.exe

dwm.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1428 -ip 1428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1064

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Users\Admin\AppData\Roaming\3.exe

C:\Users\Admin\AppData\Roaming\3.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "WindowsManager"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\3.exe"

C:\ProgramData\WindowsManager\update.exe

C:\ProgramData\WindowsManager\update.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\UnivMenu_1.16\Info.txt

C:\Users\Admin\Downloads\UnivMenu_1.16\Loadkeqwkedkqwekqwek.exe

"C:\Users\Admin\Downloads\UnivMenu_1.16\Loadkeqwkedkqwekqwek.exe"

C:\Users\Admin\AppData\Roaming\1.exe

C:\Users\Admin\AppData\Roaming\1.exe

C:\Users\Admin\AppData\Roaming\2.exe

C:\Users\Admin\AppData\Roaming\2.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1864 -ip 1864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 1060

C:\Users\Admin\AppData\Roaming\3.exe

C:\Users\Admin\AppData\Roaming\3.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "WindowsManager"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\3.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\ProgramData\WindowsManager\update.exe

C:\ProgramData\WindowsManager\update.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\UnivMenu_1.16\Qt5WebEngineCore\" -ad -an -ai#7zMap28148:122:7zEvent14801

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.179.238:443 www.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
GB 216.58.201.110:443 consent.youtube.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
GB 216.58.201.110:443 consent.youtube.com udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 i.ytimg.com udp
GB 172.217.169.54:443 i.ytimg.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 54.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 youtube.com udp
GB 216.58.201.110:443 youtube.com tcp
US 8.8.8.8:53 yt3.googleusercontent.com udp
GB 142.250.178.1:443 yt3.googleusercontent.com tcp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 1.178.250.142.in-addr.arpa udp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com udp
US 8.8.8.8:53 encrypted-tbn3.gstatic.com udp
GB 142.250.200.14:443 encrypted-tbn3.gstatic.com tcp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
GB 172.217.169.74:443 jnn-pa.googleapis.com tcp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
GB 172.217.169.74:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 upload.advgroup.ru udp
RU 194.226.27.11:443 upload.advgroup.ru tcp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 maxcdn.bootstrapcdn.com udp
US 104.17.25.14:443 cdnjs.cloudflare.com tcp
US 104.18.10.207:443 maxcdn.bootstrapcdn.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 23.200.147.41:80 apps.identrust.com tcp
US 8.8.8.8:53 11.27.226.194.in-addr.arpa udp
US 8.8.8.8:53 14.25.17.104.in-addr.arpa udp
US 8.8.8.8:53 41.147.200.23.in-addr.arpa udp
US 8.8.8.8:53 207.10.18.104.in-addr.arpa udp
US 8.8.8.8:53 netdna.bootstrapcdn.com udp
US 104.18.10.207:443 netdna.bootstrapcdn.com tcp
RU 194.226.27.11:443 upload.advgroup.ru tcp
US 8.8.8.8:53 mc.yandex.ru udp
RU 93.158.134.119:443 mc.yandex.ru tcp
US 8.8.8.8:53 mc.yandex.com udp
US 8.8.8.8:53 119.134.158.93.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
RU 194.226.27.11:443 upload.advgroup.ru tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 121.170.16.2.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.212.206:443 www.youtube.com udp
US 8.8.8.8:53 206.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.212.238:443 www.youtube.com udp
US 8.8.8.8:53 238.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 bitchsafettyudjwu.shop udp
US 104.21.27.50:443 bitchsafettyudjwu.shop tcp
US 104.21.27.50:443 bitchsafettyudjwu.shop tcp
US 8.8.8.8:53 50.27.21.104.in-addr.arpa udp
US 104.21.27.50:443 bitchsafettyudjwu.shop tcp
US 104.21.27.50:443 bitchsafettyudjwu.shop tcp
US 104.21.27.50:443 bitchsafettyudjwu.shop tcp
US 104.21.27.50:443 bitchsafettyudjwu.shop tcp
US 104.21.27.50:443 bitchsafettyudjwu.shop tcp
US 104.21.27.50:443 bitchsafettyudjwu.shop tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.58.224:10343 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 224.58.15.51.in-addr.arpa udp
DE 194.87.73.161:80 194.87.73.161 tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 161.73.87.194.in-addr.arpa udp
GB 216.58.212.238:443 www.youtube.com udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
DE 194.87.73.161:80 194.87.73.161 tcp
NL 51.15.65.182:10343 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 182.65.15.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 87f7abeb82600e1e640b843ad50fe0a1
SHA1 045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256 b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512 ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

\??\pipe\LOCAL\crashpad_2388_MTAZGDUSIEQIOSNI

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1 df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256 284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512 971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 81ebf42945eec863dd22ddfc9d5fe4d7
SHA1 b33883f8446d8a86bb6c589fb25c545dc37028e7
SHA256 3b91af5ee44c90b2d24a9afafde2e9ffb883a048e95635bfe8d6f16d994586b0
SHA512 e6bbab90b8c534cf277f9352771c9d030654e02ccde9aa1cecc1022af635094596125b9c218661a49c091dfdd03a96ae02f4dd998d76c808e6cf2baec0ed7276

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d8337301833edafa84fc429aa97ef60f
SHA1 6844dbcaec035921f51cb3184c98830386e72252
SHA256 11010ce9bd1da70102bf5b7cf196828e49ab9280af193f7dd6479c24310da1b3
SHA512 f7e88e24107b0aa4cbe80b7d1df3d762c20c395d1e15f35124fb47393689d62d51038b8ae1f2b35646c7a84ced9ab4f0096ffcbbd3cea37f734c20abaea7ed6d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2b76bc9da2ce2130e3f08a6e79a29680
SHA1 5f48e0de7fb1dc39909b4a6b27bef299a52e0c92
SHA256 8854af6ae4ed6bda1d09fc638db504aec206c0012ebfcd92805f75b146ee58ab
SHA512 3dd2cfe58f0fd3642440a23268c15a2fefd5cfa5329cab23eb5c71190820470c0b9d2b5288efb8aa16397bc3f71c5c15b571e970c118174d5400d4492239b06d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 fb10e00700d19da07a1951c5a2b77207
SHA1 ed13f087737000fcebfcb89ef69de570f148bda2
SHA256 facaa6ac8b393c64297c7f664582823764b110b7648697deacc487f9c11f58b5
SHA512 ff7ea05da279ec9cc98ddf71fa3b78c7f03f193a1f4c4c64c1d22362fdb211961f2207214e53b17b816aefa33deed69a3d6ea2bd201d5abf132b0b202b2d5f08

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 6d4b4ad16e5d0e632c1572ef9102e30d
SHA1 6262a106c43f7f263e565be93da0d53b7f4d1bc8
SHA256 7404aac8bb2343c202f79e1f40aaf1209311ad18321093971e7a58880accf2f4
SHA512 657aa730636d7fd8796ceb718ade3ae8f892c474df2b436e3239c58ffa374a4ae166d265d7f0756017509453e13e208aa20822de303b178af27e217ef1b8fe2c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 b7788c7409aa1d929fb4a3e6fa271f37
SHA1 b31afe662926ff0bdb2473ba6e641078787b2ce5
SHA256 6d2066b86ea61857db1f988f470848720ca90f40f391ff96da728457169b2993
SHA512 dc71bf78e655f3a7de6938e3f35e83dda9a643345d287b6b26c4105a68c2c103194dcec1c8265d832ddf71e47a9e70dace4fb8c480e5fc78821d9b972e4034b5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 6bbcf1f4539878a4c968e6d983b66620
SHA1 97e710de6bbbeb60163924c97896ed052e1972c1
SHA256 6eb96f0c2c966903272fc28e8505821c9460d152b859d5052c3b341fb0e96c92
SHA512 6b4050e39a113e08e051c038636ff540fc0f14ad4f8055e9e6ba8cd2e6c2d3e13e62a613883cf4b440870c47abe7729353155df6e1e7ea0c5e6c1d424e75460e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 2b2fd27bf01f7e0d56f5499636a87c55
SHA1 3e455cc119e481a1370a40ef64a925223e5b64c5
SHA256 0610d0d64c4dc5a03e2837a00a378d6d4bd5c11014a86b1b0deef4ab7f47e2b4
SHA512 093818531ce1c1f431da131b2c3bb5ea8b6a2a2f238b885c55b2d2eec0104dd960c86c820623405b5ad5ddb6282b0665293ca467d1aff4032aed45dae5a56171

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c19a.TMP

MD5 2c1e5d079e4b5d1b6ffc77c3ce17d5ec
SHA1 3419b9d01995c56372691bddbdf17acdc693754e
SHA256 2154cd8eeaaf1f4bab0e98cfdfdba44a1260a5711f97c457f7815ce184adce06
SHA512 9cbc9fb4184568e21da4e548a5559578d1c0d81cfa3235e0806cbaf0b078294bf6e2368bb12bd023e12131d7473e07433939afc32ac29b79b9155ee68be9f30f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

MD5 fddbecb3d1a277e17fef8f2c6fb5b7a4
SHA1 1c6c43986da1e1ab295558f966602e8dbb3c4284
SHA256 e64fa4f857d6aa411547391114ba4fe3d77edf32e0b730dce05950a03fc2d222
SHA512 22c06ac10e7ea81956ebbeda19a331105caa1d023184ecd845d0dec8c5044d7d547bd7dcf62e9167cd45589870d4e57bef4d8376f785bc7b228ba783fd5d66ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 fd39e945c2abd3c0b13f9a9b25c833b2
SHA1 d5041cc06173f5e9aa78a69793f9b8ed186baa74
SHA256 b479558b76d014a201eaf6cd8d67c398147008e7af97b20c44567339d9441f45
SHA512 35112a713e6b7fce2219d7bc7d4eb548528a0158cbda4fc0dc0aa12868138c9c973fecd9c97efc7f4a35fa8652c576337948a84bc61ae8b6c47da2dac65f0125

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 d05b4ab1989791896ed33e70d6cf32f5
SHA1 7718316e864646895e793b45a3f027af9f346bc2
SHA256 48d9791c5f34f439ca7732b280c3821e4f0e38cf29217190cb722ad8adbed47f
SHA512 54d7ccdfd7d1517ef495ff317055064381dc428bbaadcfb53bfbfe50c0e3539992aacdc97751fa09340df9b974b18c7ef26615bf0e578997f1fbd5e4509b59e4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57efee.TMP

MD5 fde241d1265eda39b9b377d3bc76465f
SHA1 b512bc2c730311bea19c76a2c20436bbce8fe161
SHA256 39aa20929d13dd7b8d3b81c2ccc5c4095fe0fc77d34b85afb23321a09d4bc50a
SHA512 671ddfa4eae25ef30044eb8c559e572a833d18d2c6c7e6e46fe9ecccf3129d2b7b1c45b717c620f428a86de6c74c835d6ee1823d5a4d6f33613145a434412f00

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5f30b71728a7a6579ac3654bf0caa609
SHA1 be5686965e799c6414b4605e46c6d16f6a250b19
SHA256 a6188c6462286913864043cb502be707202bdd6f8bdbfcbf513539ed9a5cc805
SHA512 918f3cacdb33cfc906f484e29452993ee900f202c32fd9e65020b8f38cfe80d31a31f9784844f84e8045e2559baff6f532762ae237c121c2f87b2009c90896ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\36e7e0e9-6715-4288-b38f-36cbfd235090\index-dir\the-real-index~RFe57f59b.TMP

MD5 609926be3c0b0c7c79dfb16b4541dfd4
SHA1 fb0e91ea7eda301e1ec10fce2fccb9f8290143bd
SHA256 bcdfb5b0ff7e40ba3544856d716265edc1d5c4490f4001c993a6a8bd3d302ca4
SHA512 28b6ba05b14bbe2df4336a015571ca572beca638975c7294e7ffae9729ed876a4113f71abfc947751b2e3a67bda1e3b85a0bbb89b848b87901ad57fe3df14844

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\36e7e0e9-6715-4288-b38f-36cbfd235090\index-dir\the-real-index

MD5 c5c47df9d5457d4d395d8fe5dea3a54f
SHA1 78dd60a5519d626087d7a998261dcb395466df71
SHA256 7d93f5dad5612350b39d660d25fcc74ef211f20ca7d8fb6ed10c1ea34c322524
SHA512 e9ef796added38be03d9557a6d0ea64713d6f1a500c2cbf81fa73680f5a805c5a3090f4acf9fab0045e1eeb2914296210b94b13d4f769c43eaf3bc13c5de25ae

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

MD5 f9dd67bf6682e8ef8327c069e2788c45
SHA1 7e4e3918ecac2b31d7ca433c77d413085d7c6373
SHA256 44ca121621d96f737f391eabc93318df992eb744a2d4dcf2226bbf3bac1a5b03
SHA512 648ba44252aa8b71ba11b5c47e8dfb187889370ab804ebe047f9bcb70357cc6b6252d2dd6aca9df209be798757faa3537ca4dabe1ced86462e8fe6c70ed10d2c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 1582a46ce0c0e7269660a53bebbc6dce
SHA1 42ee12bee39fe04f70db2a3abb1691ab7058a120
SHA256 b1ef9de57712ec9a8eaba7571e8337f69b81fc89ee12020e8b35c033f5a0743b
SHA512 72e16e76d2005d2403f1aa8a62aa93853fb4370c989047c6572ef4b24b74af106e6160ae511a98072e594bfa94893da010bc756d6baa21b7d35261aa40d4cebc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 ffce748db69274fe48845b79a024c2bf
SHA1 846e2175108e585c1c4e0c276da589dd1176ad60
SHA256 2233ebfcb3ee7cd00a4fc259703570c4c4024b3461af2aa406bf9c7e7bf6df62
SHA512 a50639093bd730c49778d164a20c868bb07e9e03747ab2ee786ad9dc0b6a589f8b8a3936657d846d305d8837a78cdbce48590cd4e260e2912effa790ee4b5241

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 dde5d110f3572d2b51198a4f8229004a
SHA1 5953677d3fbd69d75a66d1059270fe335dadc656
SHA256 f68ebf0b4676abaccef499b76c454e1a3daf68ff83520e449e26ce23945e471c
SHA512 8b4795fd48a3e1e9a56922bc0853ca2f79b4142070ca9ac4d4b2808c871189c57c82aa4d9df86e9e1cd2d712a320f282624f0d2dfbb0c0393ec8afce6d6400b2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 9de3dde114ca9250cb861fe109a5b381
SHA1 e2dfd45b6f68e4b3368a9fb6f94bc10d7c4acda3
SHA256 171032fa0129e38ba704e3f1049d985a09b8ae023bb0918a1a01f2cdd9bc3134
SHA512 0328405598096d49c5426069fa8288e96f8b0aaa22cb4e5590cbe37ebda6a4bb301d42bef94b05bb47f140ef1de8da9ab537b2c7dae77b2116df3d93d10594b9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0e4c79fd70bae95699fc06c85b958dbc
SHA1 c6d32af2867d8985b289e8a465162059fb4b52db
SHA256 01350cbab24dc132bffd145bbcbd18293ecad3a60c6c1be6685bd17ce5928403
SHA512 1cf9aaec204fd51c07116c5109f0f12c18bf3b9631c5bd4c9a46d78c0eea5ec687e9132b56941b67187b922b60fdc6f1d16f99273f41f2a8290117e9951fc72c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 28429cebe9f052a98783016424daba39
SHA1 5219a395bd21d9fd0e7b31d10437a72b4538b292
SHA256 a8a533394f8e3456069b7c92e41f83a27207d81f3d67529b36fc9eb2405a0c1f
SHA512 b6ebe7039a2996b0a270da9882848043edce76279effbb4ee23bad06b6b029cc466ace9967177b988b5c3a611501b6878f91d0a3ca1bc91b411de43346d7ab36

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 cffadc99f4a4d43b297f1be9150bc727
SHA1 3f01fca111a801c5003928275f886bd70cb22789
SHA256 73243893b346739c87effa7bcb81a22618dc84029920970a27594f6bf99250d2
SHA512 f40c38c43c219031296cf900f2ad2a02a1a86fc0a4a823238b68bc22fd2038d7fb235f349eb8c6e50770775c27b97fbb169bee9c5f7891e71f88e1601d43912f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0cf12c4ddc2d8c4837834b78a2a8967d
SHA1 30d61803841fafe8bbe3b7dada6d55079ff38bb3
SHA256 75a25bc9825102c453ea3bb73c80963a6481728f9e9dd1acfdba506bf44126a2
SHA512 34ea56d6d0a39eb7ab1f1d9bc0020b0af28ac34db2bde4fe908f1bcd81747fa0cc11e8b3a29af2845ef11d004b67e278568eb81c9f452f2d1bee8e336617913d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9a98ad3409edd452ef0c01cbd70cb638
SHA1 ca7021fa901695a68ed0e017e87690494ca407b4
SHA256 a3b22e908cbd31d8f23e7b47d1dd13014ad1bbce490a9e8aa35e09629769e6ca
SHA512 4ab8da2ce75c2bc53062b9d0451c085ec091b65c9ee89d51a497728e61db47e50a86915ed4abf29abf6965d7fe6ea1a5052300b099d0023855b941a721160f7f

C:\Users\Admin\AppData\Local\Temp\7zO0D37775C\_RDATA

MD5 defa4c241d8ca09bc04fb00aeba1896a
SHA1 d3a883c908e4de1e5186f88515e0ac18e420adfc
SHA256 463b156b15235f34a672fff591e896c5b4b17db848808623ea222a9e2c523f71
SHA512 66d040aab75df64fbf706b551253558352aecbfc841c2b6b21650ac0d3576b0a4d4c1b0d678e387f30a29c555286ff9322debee91a28917b66f07c7d848e5043

memory/3368-1385-0x0000000140000000-0x00000001403A9000-memory.dmp

memory/3368-1384-0x00007FFFE6150000-0x00007FFFE6152000-memory.dmp

memory/4068-1392-0x0000000140000000-0x00000001403A9000-memory.dmp

memory/4756-1397-0x0000000000080000-0x0000000000116000-memory.dmp

memory/4756-1398-0x0000000004A00000-0x0000000004A06000-memory.dmp

C:\Users\Admin\AppData\Roaming\d3d9.dll

MD5 7700a739a7f20e1e09dddd0659e69e4f
SHA1 340e39a309ab0dabe3116cba04d73a72a40053f4
SHA256 8d9a56cb3a2b7be78749f3f59457144a8bc9caf8b7dc702608a7c45e51af8800
SHA512 bd9699823ae300991a14a31aff69e0a5a4ceca6c96bca5c6a8fcd97bf2de091e1a091962025c864116251bb5968c231e65152c6e10436f96039aba31a337fc38

memory/1448-1411-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1448-1409-0x0000000000400000-0x0000000000457000-memory.dmp

memory/1448-1407-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2.exe.log

MD5 84cfdb4b995b1dbf543b26b86c863adc
SHA1 d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256 d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512 485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

MD5 a9cd9dc8728032e60e78b732f2fdaee4
SHA1 462c8c7a7d07069782c26cd20c00f066a037d717
SHA256 71d39b1d08b333342b4b9c1c67241e69e3a3e255beb6357042ff6cd3dd09da0a
SHA512 0425e2c5435c73da12985a1773741391de6080cc9c9d59460d110bd3fa130ed46bc5fd123bfe458467233830b0d2873bbf87e7affa66bf280e4964fbf7d52613

memory/2292-1431-0x00007FFFE6150000-0x00007FFFE6152000-memory.dmp

memory/2292-1433-0x00007FF621470000-0x00007FF621E5A000-memory.dmp

memory/2160-1434-0x000001CB6CA80000-0x000001CB6CAA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p2mt0jqb.r5w.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4320-1450-0x0000000140000000-0x00000001403A9000-memory.dmp

memory/4024-1455-0x00007FFFE6150000-0x00007FFFE6152000-memory.dmp

memory/4024-1456-0x00007FF6047A0000-0x00007FF60518A000-memory.dmp

memory/3900-1477-0x00000289EAC50000-0x00000289EAC6C000-memory.dmp

memory/3900-1478-0x00000289EAEC0000-0x00000289EAF75000-memory.dmp

memory/3900-1479-0x00000289EAC70000-0x00000289EAC7A000-memory.dmp

memory/3900-1480-0x00000289EB0E0000-0x00000289EB0FC000-memory.dmp

memory/3900-1484-0x00000289EB0C0000-0x00000289EB0CA000-memory.dmp

memory/3900-1487-0x00000289EB0D0000-0x00000289EB0D8000-memory.dmp

memory/3900-1486-0x00000289EB120000-0x00000289EB13A000-memory.dmp

memory/3900-1488-0x00000289EB100000-0x00000289EB106000-memory.dmp

memory/3900-1492-0x00000289EB110000-0x00000289EB11A000-memory.dmp

memory/4292-1503-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2040-1513-0x000001F699210000-0x000001F699230000-memory.dmp

memory/4292-1514-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2040-1516-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2040-1518-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2040-1519-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2040-1517-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2040-1515-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2040-1512-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2040-1511-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2040-1510-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2040-1509-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2040-1508-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2040-1506-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4292-1502-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4292-1501-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4292-1500-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4292-1499-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2040-1507-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2040-1520-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2040-1521-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 060d1797dcf33884312d1335fc0dbe1f
SHA1 c7671083f67ed61e82221b566c63922585a766f7
SHA256 485fce019e387a13fcbaf442a86f5c7866a5ec34fd795e67d12be9a358698998
SHA512 13a780632ef226b8a6b83233630440dbc4952baad03ecfda64ce7dac784ce774c6c012ea883b7beb2e4d7eca43dcfcc0dcc82606dfbf35bdbf7d3e8533ea8f62

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5b262d770c3eac82535249be06b70739
SHA1 3fc7592049efb62ec8e32f0f8c7b42b078dac277
SHA256 74c19ce387971b3f2b2c9c623a310542f57e57cbb1b5430a4d957e5d59cf9fa8
SHA512 bb552e25a08b807253e455ae5a8e0605bf751855b178b8e261847be544f6d06b2909bda51e3af6448d85b3bffb01e1f4875ff53f4084d7c7b7277a277ad95224

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 9d9ff26aac916b43cb05868b020e01e2
SHA1 a372181686de3c5ba228ccfe319a1c0f4277c636
SHA256 71736ad9403fabd83b28bca490a8451c9bbd9498a9f4885f1dee8bc5149834aa
SHA512 75c24d6189c165ca139b98113ccb0ac3c96096dd13c1d4cdf74faffa439ba517561a4f85955c3ebf5a8c5deafd59b4f7457faaf8a312168b98e4fd1517b9cefb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a4d2b975bad1204debcee60dc331031f
SHA1 1593c83afd13320674a1bb034e0792d49a82d728
SHA256 fa5c747d119123e949063d8d29dc24530396c5ce705e87fffc3792b3b0dda244
SHA512 cd7ce59804a8a8d3af5e95704be5f50cf8d4ebc75a44bf39168a1c4d7b816bb73fc8f4c25cb1de22ec691dac0761c2f880f48d8916c13db28cd136cf339b05a8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 5130ab72fd1f491af0875179d0db1ad6
SHA1 d73f806f01c292e60eb9d6d5b153bc09d8d3fc75
SHA256 2791d919ffabf9fec8a9fcac68c273ae476b3b8fb0ef7b8a63684ee8d6900558
SHA512 aab202ad83829db397a5e075005eacf75de5aa01505536315603bf547a1f363debbc6f763eebf5b1a73c3a78ffb8b0a4785ba3da929b2c96f67a61532c6da554

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 802deec3860c685ddb2d8747fef62932
SHA1 e2987927a7d0258041ec0ee8260369b1c0676e96
SHA256 8791fa86df51f618c7563cdd4e4b7e4b070ff5957c5c451cc632862162b5ae60
SHA512 a55c4489cb5a4c74a4561d17a875d99e6a0d9026c6c5cb6a907984ba63ab656fc496b5621593eadd3a67a9cb261d7bcbcb651de683ca589e71ed89806aa5d008

memory/436-1676-0x00007FF73B440000-0x00007FF73BE2A000-memory.dmp

memory/436-1675-0x00007FFFE6150000-0x00007FFFE6152000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

memory/1164-1694-0x00007FF622150000-0x00007FF622B3A000-memory.dmp

memory/1164-1693-0x00007FFFE6150000-0x00007FFFE6152000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 bdb25c22d14ec917e30faf353826c5de
SHA1 6c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256 e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512 b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b42c70c1dbf0d1d477ec86902db9e986
SHA1 1d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA256 8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA512 57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

memory/2384-1716-0x0000022BAB010000-0x0000022BAB0C5000-memory.dmp

C:\Windows\TEMP\sylypzyuctar.sys

MD5 0c0195c48b6b8582fa6f6373032118da
SHA1 d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA256 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512 ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

C:\Users\Admin\Downloads\UnivMenu_1.16\Info.txt

MD5 36c8a4bd123238dc06375ef132ccc726
SHA1 933783c603dc8216d40f7e119dc0513c752ec2d3
SHA256 042aa4a3db98617580a3a05a5571e08bea207621e7e74ac040171049cbf3d36a
SHA512 0d50089f33bc59dd396eae9a5cd5f1900efef44f08f5fd771b2e9b0bee50a7943f575e138fb3483ea1c1e9f296d86d57642ab15821b48cd69d403e2963bb31eb

memory/2972-1724-0x0000000140000000-0x00000001403A9000-memory.dmp

memory/3068-1739-0x00007FF68A9B0000-0x00007FF68B39A000-memory.dmp

memory/3068-1738-0x00007FFFE6150000-0x00007FFFE6152000-memory.dmp

memory/3036-1753-0x00007FF708650000-0x00007FF70903A000-memory.dmp

memory/3036-1752-0x00007FFFE6150000-0x00007FFFE6152000-memory.dmp

memory/2128-1773-0x0000028B2A910000-0x0000028B2A9C5000-memory.dmp

memory/2040-1775-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2040-1774-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2040-1778-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2040-1779-0x0000000140000000-0x0000000140848000-memory.dmp