Analysis Overview
Threat Level: Known bad
The file https://github.com/XOO1X2/YexoFN-fortnite-cheat was found to be: Known bad.
Malicious Activity Summary
Stealerium
Downloads MZ/PE file
Command and Scripting Interpreter: PowerShell
Drops startup file
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
UPX packed file
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Detects Pyinstaller
Enumerates physical storage devices
Detects videocard installed
NTFS ADS
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-13 21:35
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-13 21:35
Reported
2024-05-13 21:36
Platform
win10v2004-20240426-en
Max time kernel
41s
Max time network
47s
Command Line
Signatures
Stealerium
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\YexoCheatz.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOADER.EXE | C:\Users\Admin\AppData\Local\Temp\LOADER.EXE | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOADER.EXE | C:\Users\Admin\AppData\Local\Temp\LOADER.EXE | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\YexoCheatz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BUILD.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LOADER.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LOADER.EXE | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 429947.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LOADER.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BUILD.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/XOO1X2/YexoFN-fortnite-cheat
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbdcb646f8,0x7ffbdcb64708,0x7ffbdcb64718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,13659333858173647236,14970811125224148621,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,13659333858173647236,14970811125224148621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,13659333858173647236,14970811125224148621,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13659333858173647236,14970811125224148621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13659333858173647236,14970811125224148621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,13659333858173647236,14970811125224148621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,13659333858173647236,14970811125224148621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13659333858173647236,14970811125224148621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,13659333858173647236,14970811125224148621,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5280 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2124,13659333858173647236,14970811125224148621,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5984 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13659333858173647236,14970811125224148621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13659333858173647236,14970811125224148621,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13659333858173647236,14970811125224148621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13659333858173647236,14970811125224148621,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,13659333858173647236,14970811125224148621,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,13659333858173647236,14970811125224148621,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:8
C:\Users\Admin\Downloads\YexoCheatz.exe
"C:\Users\Admin\Downloads\YexoCheatz.exe"
C:\Users\Admin\AppData\Local\Temp\BUILD.EXE
"C:\Users\Admin\AppData\Local\Temp\BUILD.EXE"
C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
"C:\Users\Admin\AppData\Local\Temp\LOADER.EXE"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\System32\Wbem\wmic.exe
wmic cpu get Name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 185.199.110.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | 154.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.113.82.140.in-addr.arpa | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.88:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.111.199.185.in-addr.arpa | udp |
| NL | 23.62.61.88:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 205.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4dc6fc5e708279a3310fe55d9c44743d |
| SHA1 | a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2 |
| SHA256 | a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8 |
| SHA512 | 5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13 |
\??\pipe\LOCAL\crashpad_2264_STXSGMSRBSYBTFQQ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c9c4c494f8fba32d95ba2125f00586a3 |
| SHA1 | 8a600205528aef7953144f1cf6f7a5115e3611de |
| SHA256 | a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b |
| SHA512 | 9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f2027d9a8b62fdfad6cbf729faaa8568 |
| SHA1 | 114dd89f7f98ffbff86769fbb3f2aa82b2b01d7f |
| SHA256 | 1cf11464cc03c636aa546f78e2abf0238980f032668be9d6f60ed61f18537860 |
| SHA512 | 57f71e2378a0d112d513b2d9b86dd46773ad64749a5826a4f5b73385ccfbc0ab35ed036570dd48fccd0f8bbfa7404029d45fd026b2b749f6d0688c8c6cfed72b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 18bcc71ab6518796c312832917ca8c82 |
| SHA1 | 5f7c72e940b401eec4a09233d33afa8008af4a6b |
| SHA256 | 2a5a102a6f0d9dbf3215184908e37e1fc36c409d4dc56255cbeff4b7240e8c17 |
| SHA512 | 4c7cbf256183c26d871594a22f2938c5e650a0084a8bbae3da0d6ab9cdda47c6bf215d64aee5ad2961ecf94aaad7f3f32c25c14c8ce42ee0ffffc480d74cb57c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 24abeab5b3d74387473ac85d9793795d |
| SHA1 | 50bd356af1d38a6aca17a2dcf4bf3679aa8644c0 |
| SHA256 | 5f37b733c2c50d8426d6141c9bb015668698a7fb33fe6960f82fa19d0f66f1c1 |
| SHA512 | 2767426dd2475fe75ccf3519068fd6292fe6a198ff8c952c2537f81e333c787503f0af957411bfe7a504da6bf3a7fdfdd899a0ca3f2e4f94a6289587b840c1da |
C:\Users\Admin\Downloads\Unconfirmed 429947.crdownload
| MD5 | 5a4e7f1884bd4a46a821be03794d7229 |
| SHA1 | ed3486d6b9982e828173db44e5f09a57e9a0bfb1 |
| SHA256 | 6875962d9e58fa3ab20ae99f98416f0bb554ce8c9b4c29da034570dade1c7a2d |
| SHA512 | 32196be3ccca831a50af92a5301189d29525d5b9468f650aa013f5026a12b6082528fb8a8edfc5b816c65179b9d93728766993303a06e346086bdf44d96e487b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 58ae9ffca7ff754132a79d6e942f9e36 |
| SHA1 | 1701db139983511507a599aacb7b1bdb43813ce0 |
| SHA256 | c2bb2ed5130df47929b0a9bdaf35e5cbcc0240caf2203af48b7f38ead695a963 |
| SHA512 | c6b8e226dee7f8d2860f6ef43681e3ed69ca23dd42279d12c1f984f7cdd15bf77dbd25f48570a4345413a185af085598ac2e501ee59a197675af0acd54ca55be |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 90197319cfb4e692982c18d4f7e02c37 |
| SHA1 | 98cc471a2d800b1e88e097a5d433abb34e936a71 |
| SHA256 | 898d3c83aa448513ea7bfdb1b350d42fdb0c7b635ff56b2fbd14d03879dfacc3 |
| SHA512 | 1a95601909b891ff7ad988cbfb09b6d634d7f9fb137a77c9d5612ece5da829be5eaab7a1ff28f1683f6b293550c7887a80d65a97aed63d23c0de7c13aac349a8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ad47.TMP
| MD5 | a5419433227b9eddc3df5ef6c199e376 |
| SHA1 | a9cf7a44803fcb1ab6671ec95558e4a775f329e0 |
| SHA256 | 4c45ee84a9cb1e781829b2908db994a7c844a167cdd4b71403c21a14fecdb641 |
| SHA512 | abba6e3a3d9bb1fc88007df4a519cea14fbf67018643762401a54429da90bd18979a7f935c9b0c73e390102b2a29f2934a3aa74a61ba34185edc97f06b493c0c |
C:\Users\Admin\AppData\Local\Temp\BUILD.EXE
| MD5 | 2f2770cf165096eba1d77c7f28a01538 |
| SHA1 | 729481da9c714290916bda5022882013511d6bd2 |
| SHA256 | a3065a1687280cd86669faf049fc0af79c8e9bb171f3e951fdde8c39a65a5c99 |
| SHA512 | 2635e6c3c1a6190b1d94caffe9a070abfce93be0dbc1aa372bb82d9b11af690f30de1ae911e38d2bf86fc709359d2950db23db5f1476a1d52939468f657fe057 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0e673cee0a1ce4ba993de4010a990f41 |
| SHA1 | 77a7c944de57cd666db7632887614aec3f71b4c0 |
| SHA256 | 3a794bf6fe8b62794d5c03f5f998af96a6aaa76e99078ea8f673d99540d28cb5 |
| SHA512 | 454816e0da8706a6639cec7ce4d665a31eadf32994d7f458fa2290bc5ddf064a85ba7d2bd08bb7747bde52df57ac5330fc0b96fe4588f51738840ed70690b546 |
memory/5300-302-0x0000000000870000-0x0000000000A04000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LOADER.EXE
| MD5 | f3878d56f4b2689b9b76a47b7d4dc225 |
| SHA1 | 08f0aa526ba3f83ed83b8ff6d91b0650e4b0c0e1 |
| SHA256 | 937c6515eadc4414399f9e3e08c48f7d93b049c288bc229918f6b8d7c404c322 |
| SHA512 | dadaecc57f864f9901890a49b141f1721cf45017129358123261072ec91fc5caef961ee6f6b0eec3709a9b20dba79076729008dba8ac809ccff6bf05d8aa5056 |
memory/5300-305-0x0000000005390000-0x00000000053F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI54002\python310.dll
| MD5 | 37bca234095b34b410f9c76e8aabc048 |
| SHA1 | cee23e641535fe5724f5af0e68df2b2c98fe5b0b |
| SHA256 | a7c9926a4a279d2fa2a0b4b8adcececc4e1009b0b08d2e689168068d08457cbe |
| SHA512 | 9a89c50c54d5ff92bd36dd37d0d5b6a8320dc9702259fbb5d0ef1296396a9cf20e84b4dad86ea627b257682da2346b44aeabc4074d231f50705f3533126f4bec |
C:\Users\Admin\AppData\Local\Temp\_MEI54002\VCRUNTIME140.dll
| MD5 | 11d9ac94e8cb17bd23dea89f8e757f18 |
| SHA1 | d4fb80a512486821ad320c4fd67abcae63005158 |
| SHA256 | e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e |
| SHA512 | aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778 |
memory/5848-414-0x00007FFBCB490000-0x00007FFBCB8F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI54002\base_library.zip
| MD5 | 032be8057e4f92308b975df711d9b00d |
| SHA1 | 5c4c20e3ffc9de47c6f4ef895d4415dac2e4a7d5 |
| SHA256 | 52fa23830ecc5512c2dc84f9bde28f02c687208689b140df11c16f8bc717eff5 |
| SHA512 | 69b2a98dc774bb6ace39f9b6dc231ac21a682d02063e63d83ca2d52d33d5c4c4057b381f3ab37dcb2b4e31eb210c7adb5ef4114d674a9aa91faa121f6b0d27fb |
C:\Users\Admin\AppData\Local\Temp\_MEI54002\python3.DLL
| MD5 | a5471f05fd616b0f8e582211ea470a15 |
| SHA1 | cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e |
| SHA256 | 8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790 |
| SHA512 | e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff |
C:\Users\Admin\AppData\Local\Temp\_MEI54002\_ctypes.pyd
| MD5 | f911615290c2e474593570ff49a0d37c |
| SHA1 | bc274dcc1cbaa11215ceecb893cd0b0fddbcf25a |
| SHA256 | afff032e99ec7dfae085e57d90a34409bea2bcd173fd7688129b76a40bf679d3 |
| SHA512 | 46b6755d7b9f7e223c757828b2c76519d79cf782c6a61b27a5096913ea8bc717a47ce51f68d5a2e3755c28720226c8281c2d89a29dc800295e157e33300b1959 |
C:\Users\Admin\AppData\Local\Temp\_MEI54002\libffi-7.dll
| MD5 | 6f818913fafe8e4df7fedc46131f201f |
| SHA1 | bbb7ba3edbd4783f7f973d97b0b568cc69cadac5 |
| SHA256 | 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56 |
| SHA512 | 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639 |
memory/5848-424-0x00007FFBDC3E0000-0x00007FFBDC3EF000-memory.dmp
memory/5848-422-0x00007FFBCE7D0000-0x00007FFBCE7F4000-memory.dmp
memory/5848-427-0x00007FFBCE7B0000-0x00007FFBCE7C9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI54002\_bz2.pyd
| MD5 | 72df51b58f400e480d04bee82585d889 |
| SHA1 | c751408b95243affd23f19be7f2363730a0ca0f3 |
| SHA256 | 661e3d8afa17b4400ae4657d3cf4123493afc3c18c485ca53517a3bb5b9236c6 |
| SHA512 | bd889cd29591ff7f1274aab138a626173512b7c8244755e70bfdc5c5b624d93bd97efcfb1d3e76e13ffeb111f5fecb5a073c3420285212fef44091bb51c9385e |
C:\Users\Admin\AppData\Local\Temp\_MEI54002\_lzma.pyd
| MD5 | 1548750969e9f4f0314df9d6977a8512 |
| SHA1 | 70db7db19435f2c1bc35f3eec2ba80d4ded0190c |
| SHA256 | e46ce0d226a9f16c7534cdd2dac02f52dac04349fd89f67bf32810753f22c380 |
| SHA512 | d832cc07234d8c6237832719afb0b22e9a10c8e6bec7399174bc2132aad1cb878e0bb34d826fb1e522b40c6f2c0ea9e311ef50f97ab2b131b544ad4a1e4d2e72 |
memory/5848-448-0x00007FFBCE780000-0x00007FFBCE7AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI54002\_uuid.pyd
| MD5 | 7c2712f42f11a817aecd7d006e212ffb |
| SHA1 | 17552d999e6c5ca6f4f854679be9bb3fb13477f4 |
| SHA256 | 8be49bd764b8cd77d81107871af096114789c4d6fa802aee128dd5aca75b012b |
| SHA512 | bb9d4d21f6e53194ca3b1d17643170e012740ca1b6a05ad528598e9761496756afaf9ccf057d8f04c638460a92b85e621e4ce05d2cb3d6113f12c0f4ceba0f1b |
C:\Users\Admin\AppData\Local\Temp\_MEI54002\_ssl.pyd
| MD5 | d2797b9973de49d2ec21dc92c81fb45d |
| SHA1 | 5e1b6624965e2513b08df114fd2b551d783e611d |
| SHA256 | 75c787d8012155a4fb3cfac98659dad2ac4ed97f3e8c7f8636f1f26da8447a62 |
| SHA512 | f7d453a7d13bb603163dd5a36d7879152cfc175042e6477f7e620f5e5cbeb13bc7194370858c2c46a52deae2bcebc0b1ca4d8333aad93620898d7debef4321df |
C:\Users\Admin\AppData\Local\Temp\_MEI54002\_sqlite3.pyd
| MD5 | b5134aa73900fe456b03886a0bdfeefb |
| SHA1 | 251d92c9bf6d211ad020149fd84a21fb65513d58 |
| SHA256 | 93ab57add576c9d78cf763c57d207310d8863b94720ddc49b7274c49a5413e22 |
| SHA512 | e065f08a461c6383ff605064985ff44b4d2f895e04b994f2859fcce8759129047e04a8b6908ebfafd9b534acd0a844281070da113685c448bef0caea595d1448 |
C:\Users\Admin\AppData\Local\Temp\_MEI54002\_socket.pyd
| MD5 | c69049c7709ba51b9d008f82e6228d69 |
| SHA1 | c2763dded2f31ef3bbaccf56271182dfef6ffbb3 |
| SHA256 | 511d8d612ea3d31b09815bae9c32d765e30e5da880d0a0826aa46b2cefb89b9f |
| SHA512 | 848802e3d0d9562fb27e9cbe0e78794593070ac45b83911cd8b1b6297c830fedcdfd433a13861ace229c82a76d9be2871b46bb8f8fe90c1a1088f36b3cc9b2f4 |
C:\Users\Admin\AppData\Local\Temp\_MEI54002\_queue.pyd
| MD5 | 3b152dfe184f3d1f703e185b8b591567 |
| SHA1 | 18a0abda2853d2d65f84d453c1fd3d1cd215c412 |
| SHA256 | b41abc88a0e5fc43a9506646a185a6874d6cd21366da3cad1b3311ec14c91612 |
| SHA512 | 566734712d7ce6670985fc8e39af466d2a4f388f193ade99cb6ef7ad02a0f3ea93b27a1e36d4899eaeeccb49e1cf8124ac00487c4a7724527d678e466ffac734 |
C:\Users\Admin\AppData\Local\Temp\_MEI54002\_overlapped.pyd
| MD5 | 501ae3b1d0ae6a17f713143a8e2ba854 |
| SHA1 | 50049d7a5b0b8164c6668a2c87bcb1d2f37f75a7 |
| SHA256 | 53ea9fbdd341e5f46cac4fb6278c7aa9febbab0243b8f6a37133954837a14ca0 |
| SHA512 | 824d1bce374d2e79ba0e6ce49e022c81052f0dd96bb8a8f3c27ca36e97ae575bb75100106db7949c74732cf855e4778646619e2ab7f1bee18cedd2d30ab4fdfa |
C:\Users\Admin\AppData\Local\Temp\_MEI54002\_multiprocessing.pyd
| MD5 | 231d288dea35b78aa2b91b666663b613 |
| SHA1 | 14e2203aab3c47b2495fcb985f5bc1814a6a5dd0 |
| SHA256 | 14257ab6b9c2ad214be1511aeb3d195bcc13640b2d4d2e13040133fe4abd06ff |
| SHA512 | 53e48facbdf897961aaed423ed0e9dc0ae55989befe77f9b3a0f45727dd1f40f6d98a63c1107919c383cb81fdee2940ba41738bcd406edb522f5b58d961dddd2 |
C:\Users\Admin\AppData\Local\Temp\_MEI54002\_hashlib.pyd
| MD5 | 62ef0bd76397e6e1597a8fac95417f80 |
| SHA1 | 7427ec53089a34d2651db6b91eb35d1dd2100851 |
| SHA256 | 92434b3d6b5b3a1641e918e6c8db103c64fa796f76640b2c06c6fb2546b95add |
| SHA512 | 176827453bdead8bce83f039244f9e8c789654d7a1f034baf918c40775c6ea97bce61c6d853ab4905a3143a34691fc2ec04a0f1372dc09290f9c24bd09a89a5e |
C:\Users\Admin\AppData\Local\Temp\_MEI54002\_decimal.pyd
| MD5 | 1777f6fca8c9dd7dae318d82e1026e6f |
| SHA1 | 80733116d800ad2db672f2b0fa9acfe248610fbd |
| SHA256 | cd656dbca884f4fc0bef601a31bfa3487339698b6a83d542f7766ef1c559cb6c |
| SHA512 | eb2bc1e9a730d945d7be944c3495da6924ffe36072ab73dd4179f7612d5ff1846ae19048f3781b796b520bb02b975ec1aba2aa922c7a06d8ae01dd4ad511a1a8 |
C:\Users\Admin\AppData\Local\Temp\_MEI54002\_cffi_backend.cp310-win_amd64.pyd
| MD5 | 76041575bfb6c23f89168485ba802cd3 |
| SHA1 | 740dbbbfb5a48985ee866139b2c3edcc33e88587 |
| SHA256 | 3adf6b1cfcb47d99653c284dc74b13764f960873edf651e99b52a1b6ba1df590 |
| SHA512 | 800fcac9c2e1312a6f3d46148a9d621ecbde07b473681d88a383d385c30adcc660d763a8babf32b8a4e815b2c2ce4a23d86660403c341f3dbc9ee021df341070 |
C:\Users\Admin\AppData\Local\Temp\_MEI54002\_asyncio.pyd
| MD5 | 1e7d1d597a239a7966991bbb652c7279 |
| SHA1 | 7e03011a327c51f090295e71f1fc7e9ded6044a7 |
| SHA256 | 1b1bdefc2b7081badcd475a699505624fab131875f21b324ec328885ef18eac4 |
| SHA512 | e7f52aebb2094bc1f25fe2cf27c6b23bce4b49dec5653cf9beca5c39ec3d840bbd2ddb0c8f30954b3890a5846c997347fef8923e18385bddf6d162507c45062a |
C:\Users\Admin\AppData\Local\Temp\_MEI54002\VCRUNTIME140_1.dll
| MD5 | 7667b0883de4667ec87c3b75bed84d84 |
| SHA1 | e6f6df83e813ed8252614a46a5892c4856df1f58 |
| SHA256 | 04e7ccbdcad7cbaf0ed28692fb08eab832c38aad9071749037ee7a58f45e9d7d |
| SHA512 | 968cbaafe416a9e398c5bfd8c5825fa813462ae207d17072c035f916742517edc42349a72ab6795199d34ccece259d5f2f63587cfaeb0026c0667632b05c5c74 |
C:\Users\Admin\AppData\Local\Temp\_MEI54002\unicodedata.pyd
| MD5 | f354238d8a4e2d3f1d532975c4cae405 |
| SHA1 | 4230069d43349f0aa725833a7998d516820490b9 |
| SHA256 | 4eb6ffca76135df20ed52a90626fd717d9cfbff16bfc62fd97f212a91d89e552 |
| SHA512 | 7f859e21f33c430e8f1b46ceecf44b92c847c93dbc35919deaff1433a56ff6e707ae1e88a7b9ebdd0fff1783ef1140a88e723eb0042d728b29333e0b4584ee7a |
C:\Users\Admin\AppData\Local\Temp\_MEI54002\sqlite3.dll
| MD5 | 270939e2db0ac4c562398b31d67df675 |
| SHA1 | b787bd6b802ff8a43cfc4161d090baef2bba34f4 |
| SHA256 | 430813405678c04691c74da56462be90a3439c1442a18873ceb719405914ba5c |
| SHA512 | e43c26004f790937717ede200a5e5d71f6e4ba94985848ddf748912531296c0c373992a6bb951c6eabb787a70652e7aef3c227044b7d677674d46a0b09fd93ee |
C:\Users\Admin\AppData\Local\Temp\_MEI54002\select.pyd
| MD5 | 5ea4ded3b551945f889f8344a29cb8d6 |
| SHA1 | dcc7eda3457b3bf98f67bfab9f042c07bb35b89d |
| SHA256 | 9ec5e5c46d2a154c4853a89f6330be252d7f5a42fbdde27f079c3dd59328a036 |
| SHA512 | 85371819f44656a3add6623a81ef3cb7b7d11c6c3a9561c2acd5c008f42a7a9f3c2bbee67693d9d43fb9607e47331fe0ed3df8ade22cc8c59a6af701bd0d6679 |
C:\Users\Admin\AppData\Local\Temp\_MEI54002\pyexpat.pyd
| MD5 | c1871b8e66709a23c24a4cd2d0a64ece |
| SHA1 | 563b1d4012dd656af56bb7715981c967cbbc993e |
| SHA256 | 1c8dba692e748c2d2617ef8ddbeacda2d6a6e5f1755d5e5932dec950e353da27 |
| SHA512 | 73286eba464f85ccf694cc03d2502b28b89f4833211874feace17b729321f0c6fcde9b7e682d4f27d4bca0ca36c64d5099ad16aef070dd499de9b9291af6fe8e |
C:\Users\Admin\AppData\Local\Temp\_MEI54002\libssl-1_1.dll
| MD5 | 345387a8d1af7d80459060c5666d1ec2 |
| SHA1 | d53697afa4df9569ff5f8ddc52652a976ccb39f9 |
| SHA256 | 5127c01aa1f7b6144498de56ec9ad4f4652a7825dae0958a80ca9ebfe46af3c4 |
| SHA512 | b0a8c1c9720bc4a13b888eb787a3ea4185452aaf3b283fec9185fa4992370bfb2d725bb5dae9eb170aa9fe52295a1f6e745cbe562f8fcb3cb067eda3ee39b746 |
C:\Users\Admin\AppData\Local\Temp\_MEI54002\libcrypto-1_1.dll
| MD5 | 4dc7da1ac1c40196ef9cf2081ebcaaf4 |
| SHA1 | 1dd5ffb0de01c759f84a3a4f185bf99539b8d68e |
| SHA256 | 84ce58b5132ee40cef1eefb03848fc5700ab0451614700f57f9f10b7607b75ee |
| SHA512 | 59b7f4b1a479a03aee0701856069734cc2299dbf5ad77c18ee5fa30fe7da0c01946337c463dd22ea487ce89128a46989b056ab146465e2e46a06cd160e5fc65a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | e03244997812c24b7b04d3360490e4d2 |
| SHA1 | e1860ac132a658aec8ef5b7155591f02d09bd02b |
| SHA256 | e01f46a0562a58fcc2ee8e36dc143f6967a089e87042e611e58206e212700813 |
| SHA512 | e161811746587dcfd907251d24947366661a9e9174d7a3bd803fd8007818ad05dd6d1b424c0c5819daa4ab909c85fe1b2784b10ec7ed96257da8ff8603c62b5e |
memory/5848-455-0x00007FFBCE700000-0x00007FFBCE735000-memory.dmp
memory/5848-461-0x00007FFBD84A0000-0x00007FFBD84AD000-memory.dmp
memory/5848-460-0x00007FFBDA0A0000-0x00007FFBDA0AD000-memory.dmp
memory/5848-459-0x00007FFBCE760000-0x00007FFBCE779000-memory.dmp
memory/5848-467-0x00007FFBCBF60000-0x00007FFBCC016000-memory.dmp
memory/5848-466-0x00007FFBC9790000-0x00007FFBC9B04000-memory.dmp
memory/5848-473-0x00007FFBCE690000-0x00007FFBCE6AE000-memory.dmp
memory/5848-474-0x00007FFBCAC90000-0x00007FFBCADFD000-memory.dmp
memory/5848-471-0x00007FFBD6920000-0x00007FFBD6930000-memory.dmp
memory/5848-475-0x00007FFBCE7D0000-0x00007FFBCE7F4000-memory.dmp
memory/5848-476-0x00007FFBCBF40000-0x00007FFBCBF58000-memory.dmp
memory/5848-470-0x00007FFBCE6B0000-0x00007FFBCE6C4000-memory.dmp
memory/5848-480-0x00007FFBC9670000-0x00007FFBC9788000-memory.dmp
memory/5848-479-0x00007FFBCBEF0000-0x00007FFBCBF16000-memory.dmp
memory/5848-478-0x00007FFBD4130000-0x00007FFBD413B000-memory.dmp
memory/5848-477-0x00007FFBCBF20000-0x00007FFBCBF35000-memory.dmp
memory/5848-472-0x00007FFBCB490000-0x00007FFBCB8F5000-memory.dmp
memory/5848-464-0x00007FFBCE6D0000-0x00007FFBCE6FE000-memory.dmp
memory/5848-481-0x00007FFBCE7B0000-0x00007FFBCE7C9000-memory.dmp
memory/5848-482-0x00007FFBCBEB0000-0x00007FFBCBEE8000-memory.dmp
memory/5848-496-0x00007FFBCB3F0000-0x00007FFBCB3FB000-memory.dmp
memory/5848-495-0x00007FFBCE6D0000-0x00007FFBCE6FE000-memory.dmp
memory/5848-494-0x00007FFBCB400000-0x00007FFBCB40C000-memory.dmp
memory/5848-493-0x00007FFBCE760000-0x00007FFBCE779000-memory.dmp
memory/5848-492-0x00007FFBCB410000-0x00007FFBCB41E000-memory.dmp
memory/5848-491-0x00007FFBCB450000-0x00007FFBCB45C000-memory.dmp
memory/5848-490-0x00007FFBCB460000-0x00007FFBCB46B000-memory.dmp
memory/5848-489-0x00007FFBCB470000-0x00007FFBCB47C000-memory.dmp
memory/5848-488-0x00007FFBCB420000-0x00007FFBCB42C000-memory.dmp
memory/5848-487-0x00007FFBCB430000-0x00007FFBCB43C000-memory.dmp
memory/5848-486-0x00007FFBCB440000-0x00007FFBCB44B000-memory.dmp
memory/5848-485-0x00007FFBC9790000-0x00007FFBC9B04000-memory.dmp
memory/5848-484-0x00007FFBCB480000-0x00007FFBCB48B000-memory.dmp
memory/5848-483-0x00007FFBCC6C0000-0x00007FFBCC6CB000-memory.dmp
memory/5848-505-0x00007FFBCAC30000-0x00007FFBCAC3C000-memory.dmp
memory/5848-506-0x00007FFBC93E0000-0x00007FFBC9663000-memory.dmp
memory/5848-504-0x00007FFBCE690000-0x00007FFBCE6AE000-memory.dmp
memory/5848-503-0x00007FFBCAC90000-0x00007FFBCADFD000-memory.dmp
memory/5848-502-0x00007FFBCAC40000-0x00007FFBCAC52000-memory.dmp
memory/5848-501-0x00007FFBCAC60000-0x00007FFBCAC6D000-memory.dmp
memory/5848-500-0x00007FFBCAC70000-0x00007FFBCAC7C000-memory.dmp
memory/5848-499-0x00007FFBCAC80000-0x00007FFBCAC8C000-memory.dmp
memory/5848-498-0x00007FFBCB3E0000-0x00007FFBCB3EB000-memory.dmp
memory/5848-497-0x00007FFBCBF60000-0x00007FFBCC016000-memory.dmp
memory/5848-509-0x00007FFBC93A0000-0x00007FFBC93CE000-memory.dmp
memory/5848-508-0x00007FFBCABF0000-0x00007FFBCAC19000-memory.dmp
memory/5848-507-0x00007FFBCAC20000-0x00007FFBCAC2A000-memory.dmp
memory/5876-541-0x000001C8FF2D0000-0x000001C8FF2F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kaphjwgn.3cx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\EBmksI7jdc\Browser\cc's.txt
| MD5 | 5aa796b6950a92a226cc5c98ed1c47e8 |
| SHA1 | 6706a4082fc2c141272122f1ca424a446506c44d |
| SHA256 | c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c |
| SHA512 | 976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad |
memory/5848-587-0x00007FFBCBEB0000-0x00007FFBCBEE8000-memory.dmp