Analysis Overview
Threat Level: Likely malicious
The file https://cdn.discordapp.com/attachments/1244531318633664535/1250635927777185844/setup.exe?ex=666ba8f8&is=666a5778&hm=d23141857d0b9101d603c4c4b71c5f79b12b7b2156b478c0e3d827f06a974c98& was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Loads dropped DLL
UPX packed file
Executes dropped EXE
Reads user/profile data of web browsers
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Enumerates system info in registry
Detects videocard installed
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Kills process with taskkill
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Enumerates processes with tasklist
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 02:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 02:21
Reported
2024-06-13 02:24
Platform
win11-20240611-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI24842\rar.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\setup.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 569733.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\setup.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1244531318633664535/1250635927777185844/setup.exe?ex=666ba8f8&is=666a5778&hm=d23141857d0b9101d603c4c4b71c5f79b12b7b2156b478c0e3d827f06a974c98&
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbfb463cb8,0x7ffbfb463cc8,0x7ffbfb463cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,3808447693193317153,5530895743648451821,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,3808447693193317153,5530895743648451821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,3808447693193317153,5530895743648451821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3808447693193317153,5530895743648451821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3808447693193317153,5530895743648451821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,3808447693193317153,5530895743648451821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3808447693193317153,5530895743648451821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3808447693193317153,5530895743648451821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3808447693193317153,5530895743648451821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3808447693193317153,5530895743648451821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3808447693193317153,5530895743648451821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,3808447693193317153,5530895743648451821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1912,3808447693193317153,5530895743648451821,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5484 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,3808447693193317153,5530895743648451821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6248 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,3808447693193317153,5530895743648451821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2472 /prefetch:8
C:\Users\Admin\Downloads\setup.exe
"C:\Users\Admin\Downloads\setup.exe"
C:\Users\Admin\Downloads\setup.exe
"C:\Users\Admin\Downloads\setup.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\setup.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('u got beamed', 0, 'sorry ', 0+16);close()""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\setup.exe'
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('u got beamed', 0, 'sorry ', 0+16);close()"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4608"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4608
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 948"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 948
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2776"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2776
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4668"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4668
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1296"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 1296
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2336"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2336
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2100"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2100
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2312"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2312
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2736"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2736
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI24842\rar.exe a -r -hpphantom "C:\Users\Admin\AppData\Local\Temp\J4erO.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI24842\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI24842\rar.exe a -r -hpphantom "C:\Users\Admin\AppData\Local\Temp\J4erO.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 172.64.149.23:80 | crl.sectigo.com | tcp |
| US | 172.64.149.23:80 | crl.sectigo.com | tcp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 172.64.149.23:80 | crl.sectigo.com | tcp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| US | 172.64.149.23:80 | crl.sectigo.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 5c4605aed5013f25a162a5054965829c |
| SHA1 | 4cec67cbc5ec1139df172dbc7a51fe38943360cf |
| SHA256 | 5c16c584cda1f348a7030e9cab6e9db9e8e47a283dd19879f8bb6d75e170827f |
| SHA512 | bf2a5602fde0de143f9df334249fef2e36af7abeda389376a20d7613e9ccad59f2ca0447576ac1ed60ecf6ab1526c37e68c4614d79ae15c53e1774d325b4036f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3066a8b5ee69aa68f709bdfbb468b242 |
| SHA1 | a591d71a96bf512bd2cfe17233f368e48790a401 |
| SHA256 | 76f6f3fcef4b1d989542e7c742ff73810c24158ac4e086cbd54f13b430cc4434 |
| SHA512 | ad4d30c7be9466a797943230cb9f2ca98f76bf0f907728a0fa5526de1ed23cd5cf81b130ee402f7b3bb5de1e303b049d2867d98cf2039b5d8cb177d7a410b257 |
\??\pipe\LOCAL\crashpad_4608_ZGKCMZXGIIMVZUDG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 27fab038bcdaee58d1d6e8572576413d |
| SHA1 | c6b86f4506648ecb5dda3dc5c02570b418dba292 |
| SHA256 | 66b03c422bd8bd7bd9c10b5a778b22768760031bc5f35ba258f71340e27abcc5 |
| SHA512 | 95ead30c39c1f0dc1d1b37a64e420e8f5e575208b631192dfaef6175a1ad666f6754fc4862596f943b1879114e2174f380c64e40f64c3df48187b3a10ba0b472 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c8e1730c9f63ddb3f6a2148861534399 |
| SHA1 | 24ded1f5cee4ba184d3bbac07f86b20cf19ca68e |
| SHA256 | 17927be0bc0d09ee21fca38d94472cb6225ec4509d0b5a853b792d96d04af020 |
| SHA512 | f5ba26af85e3459db36e99c3e339e20d120e9a27eab5817ffd7357c5e8dcbdf968692f935e60eed9d1dc17f12a1f84aac6f3e506b1e04148636232679dd93e82 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 55107aee2fb52495de45aa2afab4f1fc |
| SHA1 | 9ea507ca1c1120a2a8230715800ca9224658e552 |
| SHA256 | 6ec66f772df77a7db1f6a6d0395d1c843eb1149e6be576347baeeca20389d5e0 |
| SHA512 | 82d728f1136c08c7b95149eb695e0482ca55fa1f88aa143d94d9eb7f999b088ea926179f0a33bb685146285bfab31955575d0d715c96f349d270ff2f4a505822 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 807419ca9a4734feaf8d8563a003b048 |
| SHA1 | a723c7d60a65886ffa068711f1e900ccc85922a6 |
| SHA256 | aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631 |
| SHA512 | f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 818e003a52d9c75d1e4e2b0dc9d3d543 |
| SHA1 | 4a7641469958874b9e0e9c152a568c9921699613 |
| SHA256 | c55e0a7edca70ae0d073d1b7d7e5d13a852afcdf3cd4935a00c117cecc940027 |
| SHA512 | d5420b75f1c772700b1fea278bf086299f11a36890b90f19c68e603c39ee747273acd6e3b838e2c5332b5707de52f0b4dfc3788dae85cd9125ba6642f65afb02 |
C:\Users\Admin\Downloads\Unconfirmed 569733.crdownload
| MD5 | f0533d37e079e1c50f13eeaf7fbfe009 |
| SHA1 | f525f1969d797e9f466d0d6498629e7bdb62a3f6 |
| SHA256 | da931829df423bc2af84173159f25fca36af94b6fe445c2101d0a34fd7fdb6b5 |
| SHA512 | a46e2d2fc80eb337ecd0d89089827c31334b783be63fd2e83953a13961517a1348aa4053cf3b67d18cc9b18e715793b82c1b0f4e84ba02356433e44632efc50b |
C:\Users\Admin\Downloads\setup.exe:Zone.Identifier
| MD5 | fbccf14d504b7b2dbcb5a5bda75bd93b |
| SHA1 | d59fc84cdd5217c6cf74785703655f78da6b582b |
| SHA256 | eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913 |
| SHA512 | aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98 |
C:\Users\Admin\AppData\Local\Temp\_MEI24842\python311.dll
| MD5 | bb46b85029b543b70276ad8e4c238799 |
| SHA1 | 123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c |
| SHA256 | 72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0 |
| SHA512 | 5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31 |
C:\Users\Admin\AppData\Local\Temp\_MEI24842\VCRUNTIME140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
memory/4684-142-0x00007FFBE8180000-0x00007FFBE8768000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24842\base_library.zip
| MD5 | bea7a9638e904a6371853b47f528b4e1 |
| SHA1 | a66479cab958890bad7a0b7b9403d4f1e0bbb58d |
| SHA256 | 5a2d9ca2e6706571243f7ce78110216b06fa4ba65a69a7e5a4208a894d554437 |
| SHA512 | 44782992b4af57ac17e93eff59caff62f6ab6658281b50cf870d5c98c8867a910a849085ba7bd161578ce9675fc3392943b8fb7c86a611aa29e403b8e7f3caa2 |
C:\Users\Admin\AppData\Local\Temp\_MEI24842\tinyaes.cp311-win_amd64.pyd
| MD5 | 14ae513cfc1b057e51b49efdce28c14e |
| SHA1 | 18b2cbf7484dc9eaf52d74622fcb38c0ce673361 |
| SHA256 | 0c5687a99109e162c6ce1656784f86e7835de7d38b28c7a4de29ef1c214ef867 |
| SHA512 | 368f83b3a62ab4958ab279d4aa60722fd3b17499eb651d2fb6c38513fc2f6ba5c2d830224756642bd243995cc38bf5d1d425f6744bf9f0b0c125d76d213fcee1 |
C:\Users\Admin\AppData\Local\Temp\_MEI24842\_ctypes.pyd
| MD5 | 38fb83bd4febed211bd25e19e1cae555 |
| SHA1 | 4541df6b69d0d52687edb12a878ae2cd44f82db6 |
| SHA256 | cd31af70cbcfe81b01a75ebeb2de86079f4cbe767b75c3b5799ef8b9f0392d65 |
| SHA512 | f703b231b675c45accb1f05cd34319b5b3b7583d85bf2d54194f9e7c704fbcd82ef2a2cd286e6a50234f02c43616fbeccfd635aefd73424c1834f5dca52c0931 |
C:\Users\Admin\AppData\Local\Temp\_MEI24842\libffi-8.dll
| MD5 | 90a6b0264a81bb8436419517c9c232fa |
| SHA1 | 17b1047158287eb6471416c5df262b50d6fe1aed |
| SHA256 | 5c4a0d4910987a38a3cd31eae5f1c909029f7762d1a5faf4a2e2a7e9b1abab79 |
| SHA512 | 1988dd58d291ee04ebfec89836bb14fcaafb9d1d71a93e57bd06fe592feace96cdde6fcce46ff8747339659a9a44cdd6cf6ac57ff495d0c15375221bf9b1666e |
memory/4684-153-0x00007FFBFF580000-0x00007FFBFF58F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24842\_lzma.pyd
| MD5 | 8d9e1bb65a192c8446155a723c23d4c5 |
| SHA1 | ea02b1bf175b7ef89ba092720b3daa0c11bef0f0 |
| SHA256 | 1549fe64b710818950aa9bf45d43fe278ce59f3b87b3497d2106ff793efa6cf7 |
| SHA512 | 4d67306fe8334f772fe9d463cb4f874a8b56d1a4ad3825cff53cae4e22fa3e1adba982f4ea24785312b73d84a52d224dfb4577c1132613aa3ae050a990e4abdf |
memory/4684-152-0x00007FFBF1590000-0x00007FFBF15B4000-memory.dmp
memory/4684-155-0x00007FFBF1560000-0x00007FFBF158D000-memory.dmp
memory/4684-151-0x00007FFBFA530000-0x00007FFBFA547000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24842\_bz2.pyd
| MD5 | 0c13627f114f346604b0e8cbc03baf29 |
| SHA1 | bf77611d924df2c80aabcc3f70520d78408587a2 |
| SHA256 | df1e666b55aae6ede59ef672d173bd0d64ef3e824a64918e081082b8626a5861 |
| SHA512 | c97fa0f0988581eae5194bd6111c1d9c0e5b1411bab47df5aa7c39aad69bfbeca383514d6aaa45439bb46eacf6552d7b7ed08876b5e6864c8507eaa0a72d4334 |
memory/4684-158-0x00007FFBF6500000-0x00007FFBF6519000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24842\_sqlite3.pyd
| MD5 | d678600c8af1eeeaa5d8c1d668190608 |
| SHA1 | 080404040afc8b6e5206729dd2b9ee7cf2cb70bc |
| SHA256 | d6960f4426c09a12488eb457e62506c49a58d62a1cb16fbc3ae66b260453c2ed |
| SHA512 | 8fd5f0fd5bd60c6531e1b4ad867f81da92d5d54674028755e5680fb6005e6444805003d55b6cbaf4cdad7b4b301cffab7b010229f6fd9d366405b8ade1af72d9 |
C:\Users\Admin\AppData\Local\Temp\_MEI24842\sqlite3.dll
| MD5 | ddd0dd698865a11b0c5077f6dd44a9d7 |
| SHA1 | 46cd75111d2654910f776052cc30b5e1fceb5aee |
| SHA256 | a9dd0275131105df5611f31a9e6fbf27fd77d0a35d1a73a9f4941235fbc68bd7 |
| SHA512 | b2ee469ea5a6f49bbdd553363baa8ebad2baf13a658d0d0c167fde7b82eb77a417d519420db64f325d0224f133e3c5267df3aa56c11891d740d6742adf84dbe4 |
memory/4684-164-0x00007FFBE8000000-0x00007FFBE8173000-memory.dmp
memory/4684-163-0x00007FFBF0620000-0x00007FFBF0643000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24842\_socket.pyd
| MD5 | 4351d7086e5221398b5b78906f4e84ac |
| SHA1 | ba515a14ec1b076a6a3eab900df57f4f37be104d |
| SHA256 | a0fa25eef91825797f01754b7d7cf5106e355cf21322e926632f90af01280abe |
| SHA512 | a1bcf51e797ccae58a0b4cfe83546e5e11f8fc011ca3568578c42e20bd7a367a5e1fa4237fb57aa84936eec635337e457a61a2a4d6eca3e90e6dde18ae808025 |
C:\Users\Admin\AppData\Local\Temp\_MEI24842\select.pyd
| MD5 | abf7864db4445bbbd491c8cff0410ae0 |
| SHA1 | 4b0f3c5c7bf06c81a2c2c5693d37ef49f642a9b7 |
| SHA256 | ddeade367bc15ea09d42b2733d88f092da5e880362eabe98d574bc91e03de30e |
| SHA512 | 8f55084ee137416e9d61fe7de19e4cff25a4b752494e9b1d6f14089448ef93e15cd820f9457c6ce9268781bd08e3df41c5284801f03742bc5c40b3b81fb798c5 |
memory/4684-171-0x00007FFBFBDB0000-0x00007FFBFBDBD000-memory.dmp
memory/4684-170-0x00007FFBF0400000-0x00007FFBF0419000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24842\_ssl.pyd
| MD5 | 156b1fa2f11c73ed25f63ee20e6e4b26 |
| SHA1 | 36189a5cde36d31664acbd530575a793fc311384 |
| SHA256 | a9b5f6c7a94fb6bfaf82024f906465ff39f9849e4a72a98a9b03fc07bf26da51 |
| SHA512 | a8181ffeb3cf8ef2a25357217a3dd05242cc0165473b024cf0aeb3f42e21e52c2550d227a1b83a6e5dab33a185d78e86e495e9634e4f4c5c4a1aec52c5457dca |
C:\Users\Admin\AppData\Local\Temp\_MEI24842\libssl-1_1.dll
| MD5 | eac369b3fde5c6e8955bd0b8e31d0830 |
| SHA1 | 4bf77158c18fe3a290e44abd2ac1834675de66b4 |
| SHA256 | 60771fb23ee37b4414d364e6477490324f142a907308a691f3dd88dc25e38d6c |
| SHA512 | c51f05d26fda5e995fe6763877d4fcdb89cd92ef2d6ee997e49cc1ee7a77146669d26ec00ad76f940ef55adae82921dede42e55f51bd10d1283ecfe7c5009778 |
C:\Users\Admin\AppData\Local\Temp\_MEI24842\libcrypto-1_1.dll
| MD5 | daa2eed9dceafaef826557ff8a754204 |
| SHA1 | 27d668af7015843104aa5c20ec6bbd30f673e901 |
| SHA256 | 4dab915333d42f071fe466df5578fd98f38f9e0efa6d9355e9b4445ffa1ca914 |
| SHA512 | 7044715550b7098277a015219688c7e7a481a60e4d29f5f6558b10c7ac29195c6d5377dc234da57d9def0c217bb3d7feca332a64d632ca105503849f15e057ea |
memory/4684-178-0x00007FFBE7C80000-0x00007FFBE7FF5000-memory.dmp
memory/4684-177-0x00007FFBEF450000-0x00007FFBEF47E000-memory.dmp
memory/4684-179-0x00007FFBE7BC0000-0x00007FFBE7C78000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24842\_hashlib.pyd
| MD5 | 596df8ada4b8bc4ae2c2e5bbb41a6c2e |
| SHA1 | e814c2e2e874961a18d420c49d34b03c2b87d068 |
| SHA256 | 54348cfbf95fd818d74014c16343d9134282d2cf238329eec2cda1e2591565ec |
| SHA512 | e16aad5230e4af7437b19c3db373b1a0a0a84576b608b34430cced04ffc652c6fb5d8a1fe1d49ac623d8ae94c8735800c6b0a12c531dcdd012b05b5fd61dff2e |
memory/4684-182-0x00007FFBF03E0000-0x00007FFBF03F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24842\_queue.pyd
| MD5 | fbbbfbcdcf0a7c1611e27f4b3b71079e |
| SHA1 | 56888df9701f9faa86c03168adcd269192887b7b |
| SHA256 | 699c1f0f0387511ef543c0df7ef81a13a1cffde4ce4cd43a1baf47a893b99163 |
| SHA512 | 0a5ba701653ce9755048ae7b0395a15fbb35509bef7c4b4fe7f11dc4934f3bd298bcddbf2a05b61f75f8eb44c4c41b3616f07f9944e0620b031cbe87a7443284 |
memory/4684-185-0x00007FFBFAF70000-0x00007FFBFAF7D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24842\unicodedata.pyd
| MD5 | bb3fca6f17c9510b6fb42101fe802e3c |
| SHA1 | cb576f3dbb95dc5420d740fd6d7109ef2da8a99d |
| SHA256 | 5e2f1bbfe3743a81b00717011094798929a764f64037bedb7ea3d2ed6548eb87 |
| SHA512 | 05171c867a5d373d4f6420136b6ac29fa846a85b30085f9d7fabcbb4d902afee00716dd52010ed90e97c18e6cb4e915f13f31a15b2d8507e3a6cfa80e513b6a2 |
memory/4684-188-0x00007FFBE7AA0000-0x00007FFBE7BBC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n2ghqss1.seb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4968-194-0x000001A67BDD0000-0x000001A67BDF2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e3840d9bcedfe7017e49ee5d05bd1c46 |
| SHA1 | 272620fb2605bd196df471d62db4b2d280a363c6 |
| SHA256 | 3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f |
| SHA512 | 76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
memory/4684-212-0x00007FFBE8180000-0x00007FFBE8768000-memory.dmp
memory/4684-222-0x00007FFBF1590000-0x00007FFBF15B4000-memory.dmp
memory/4684-223-0x00007FFBE8180000-0x00007FFBE8768000-memory.dmp
memory/4684-238-0x00007FFBE7AA0000-0x00007FFBE7BBC000-memory.dmp
memory/4684-235-0x00007FFBE7BC0000-0x00007FFBE7C78000-memory.dmp
memory/4684-234-0x00007FFBE7C80000-0x00007FFBE7FF5000-memory.dmp
memory/4684-233-0x00007FFBEF450000-0x00007FFBEF47E000-memory.dmp
memory/4684-231-0x00007FFBF0400000-0x00007FFBF0419000-memory.dmp
memory/4684-230-0x00007FFBE8000000-0x00007FFBE8173000-memory.dmp
memory/4684-229-0x00007FFBF0620000-0x00007FFBF0643000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d0ad3fa70230ea76b1a8b5e5f60ee93f |
| SHA1 | 961c42b6ec14746a6706a3731573e33c527cbd69 |
| SHA256 | 8ef5ed66580b9667b3572215c5255da179b05d3f582fbc6c6256b685aeadc305 |
| SHA512 | 2f32a01352fe6a652544aceccdd8862a6db2936db2d8be8445db0aa4739a99494331d7ed23a03f0b4d07475bf061190eb3d96b2a14cc7bf7a7a9fe318cff92f0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
| MD5 | 90e963d676033ee923b886c9156fb9e8 |
| SHA1 | 768bd2e4573acbd78c7417145cf0b6c3de88ac9f |
| SHA256 | feb35d1e4b1b80567ccfe69101e172b079b4b2873649bd763fca8511c9ad11da |
| SHA512 | 03e114a94b0b8d68e02adcdd8df1dfa6da132b72c51088a61e7f55b8b5c803f9820feb0e3d9d0b148e553a66fbf7eb133b7636c0122de1cb6b481609b91eba69 |
C:\Users\Admin\AppData\Local\Temp\_MEI24842\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\ \Credentials\Edge\Edge Cookies.txt
| MD5 | b093644f734279b4256a522c5826ea2c |
| SHA1 | e62f540ab673680ed663564972c210a6bf9124f4 |
| SHA256 | 96a7a414067d1a4d760a212a351da7a1a8afe962c9b2713b4cc78152937f3f9c |
| SHA512 | f562905ec2d7b518dabbb95498fe06de1cc27faec34e20d521dd7cdfebc5b64e0f6641f579fb0395981fdd41cefa01ade23e509a0562d256c8a108abc097c394 |
C:\Users\Admin\AppData\Local\Temp\ \Credentials\Chrome\Chrome Cookies.txt
| MD5 | 59d087d910ad4be7e0fe504d50275be0 |
| SHA1 | 26394cc0a840dbd6f68613f2d3e03a2ea436b51c |
| SHA256 | 968ba1f81aaa8480b4fd7da3b4da19b66608839b96b8557b48c64299449efa34 |
| SHA512 | 32398a705f71fc90c24be9cb2216a88c5f53027e1efee508a9332a10571599592519e8fd0c3f441ced9ce8c8bc0c799f66fb46f1ed33da9b793731593e5d56d4 |
C:\Users\Admin\AppData\Local\Temp\_MEI24842\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\ \Tree.txt
| MD5 | c4d35a6c9e61e03eb68c34266047e3eb |
| SHA1 | ac3ddfb6588c0ae21b228d694672ec082daa65ce |
| SHA256 | 401d27295488601b911f0828a37dae5bae5b27b4fa0e8032b0510a70d8980bd2 |
| SHA512 | fb624a21ae4530d38afcdcc0692964e41084c34b630dcff569769b34656e6249c5103d2fb682380e9121a6eaf814317b01b326e785212036e54ba01657f81884 |
C:\Users\Admin\AppData\Local\Temp\J4erO.zip
| MD5 | 88280d8dca95eb386af134a0020ebd2c |
| SHA1 | 9b73d1049079a972a28cede8c73ba898df64a757 |
| SHA256 | 7b7d5d13dca773040c9501844486723338ae509a211457ff363b84d4ff6c7c29 |
| SHA512 | 60273a7d4e494daa58f2c1a60bbf451feeaadff65a938a095a50f2d7c26612892d39f786a7a53c4720009935b8abe88e84329515135f077f06917d601755bd2d |
memory/4684-310-0x00007FFBE8000000-0x00007FFBE8173000-memory.dmp
memory/4684-318-0x00007FFBE7AA0000-0x00007FFBE7BBC000-memory.dmp
memory/4684-328-0x00007FFBEF450000-0x00007FFBEF47E000-memory.dmp
memory/4684-327-0x00007FFBFBDB0000-0x00007FFBFBDBD000-memory.dmp
memory/4684-326-0x00007FFBF0400000-0x00007FFBF0419000-memory.dmp
memory/4684-325-0x00007FFBF0620000-0x00007FFBF0643000-memory.dmp
memory/4684-324-0x00007FFBF6500000-0x00007FFBF6519000-memory.dmp
memory/4684-323-0x00007FFBF1560000-0x00007FFBF158D000-memory.dmp
memory/4684-322-0x00007FFBFF580000-0x00007FFBFF58F000-memory.dmp
memory/4684-321-0x00007FFBF1590000-0x00007FFBF15B4000-memory.dmp
memory/4684-320-0x00007FFBFA530000-0x00007FFBFA547000-memory.dmp
memory/4684-319-0x00007FFBE8180000-0x00007FFBE8768000-memory.dmp
memory/4684-317-0x00007FFBFAF70000-0x00007FFBFAF7D000-memory.dmp
memory/4684-316-0x00007FFBF03E0000-0x00007FFBF03F4000-memory.dmp
memory/4684-315-0x00007FFBE7BC0000-0x00007FFBE7C78000-memory.dmp
memory/4684-314-0x00007FFBE7C80000-0x00007FFBE7FF5000-memory.dmp