Malware Analysis Report

2025-05-28 21:06

Sample ID 241109-q7kqaawaqj
Target https://cdn.discordapp.com/attachments/1304805438881140778/1304806116483399770/BirdMENU.exe?ex=6730bae4&is=672f6964&hm=06d680a9f82a97c40f023b335f5eeafd0ba20220b7bdde4a9349b6f5962e3cef&
Tags
discovery execution upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

Threat Level: Likely malicious

The file https://cdn.discordapp.com/attachments/1304805438881140778/1304806116483399770/BirdMENU.exe?ex=6730bae4&is=672f6964&hm=06d680a9f82a97c40f023b335f5eeafd0ba20220b7bdde4a9349b6f5962e3cef& was found to be: Likely malicious.

Malicious Activity Summary

discovery execution upx

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Enumerates processes with tasklist

UPX packed file

Browser Information Discovery

Suspicious use of FindShellTrayWindow

NTFS ADS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 13:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 13:54

Reported

2024-11-09 13:55

Platform

win10v2004-20241007-en

Max time kernel

70s

Max time network

66s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1304805438881140778/1304806116483399770/BirdMENU.exe?ex=6730bae4&is=672f6964&hm=06d680a9f82a97c40f023b335f5eeafd0ba20220b7bdde4a9349b6f5962e3cef&

Signatures

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A
N/A N/A C:\Users\Admin\Downloads\BirdMENU.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 837482.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2500 wrote to memory of 3168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 3168 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 4040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 3100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 3100 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2500 wrote to memory of 2044 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1304805438881140778/1304806116483399770/BirdMENU.exe?ex=6730bae4&is=672f6964&hm=06d680a9f82a97c40f023b335f5eeafd0ba20220b7bdde4a9349b6f5962e3cef&

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b7e846f8,0x7ff8b7e84708,0x7ff8b7e84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4676 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5956 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:8

C:\Users\Admin\Downloads\BirdMENU.exe

"C:\Users\Admin\Downloads\BirdMENU.exe"

C:\Users\Admin\Downloads\BirdMENU.exe

"C:\Users\Admin\Downloads\BirdMENU.exe"

C:\Users\Admin\Downloads\BirdMENU.exe

"C:\Users\Admin\Downloads\BirdMENU.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BirdMENU.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NOT INSTALLED THIS CORRECT ASK FOR HELP', 0, 'ERROR', 32+16);close()""

C:\Users\Admin\Downloads\BirdMENU.exe

"C:\Users\Admin\Downloads\BirdMENU.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BirdMENU.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NOT INSTALLED THIS CORRECT ASK FOR HELP', 0, 'ERROR', 32+16);close()"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BirdMENU.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NOT INSTALLED THIS CORRECT ASK FOR HELP', 0, 'ERROR', 32+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BirdMENU.exe'

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NOT INSTALLED THIS CORRECT ASK FOR HELP', 0, 'ERROR', 32+16);close()"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Users\Admin\Downloads\BirdMENU.exe

"C:\Users\Admin\Downloads\BirdMENU.exe"

C:\Users\Admin\Downloads\BirdMENU.exe

"C:\Users\Admin\Downloads\BirdMENU.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BirdMENU.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NOT INSTALLED THIS CORRECT ASK FOR HELP', 0, 'ERROR', 32+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BirdMENU.exe'

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NOT INSTALLED THIS CORRECT ASK FOR HELP', 0, 'ERROR', 32+16);close()"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,8676553472491080443,118513299474032256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1

C:\Users\Admin\Downloads\BirdMENU.exe

"C:\Users\Admin\Downloads\BirdMENU.exe"

C:\Users\Admin\Downloads\BirdMENU.exe

"C:\Users\Admin\Downloads\BirdMENU.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BirdMENU.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NOT INSTALLED THIS CORRECT ASK FOR HELP', 0, 'ERROR', 32+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NOT INSTALLED THIS CORRECT ASK FOR HELP', 0, 'ERROR', 32+16);close()"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BirdMENU.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\BirdMENU.exe

"C:\Users\Admin\Downloads\BirdMENU.exe"

C:\Users\Admin\Downloads\BirdMENU.exe

"C:\Users\Admin\Downloads\BirdMENU.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BirdMENU.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NOT INSTALLED THIS CORRECT ASK FOR HELP', 0, 'ERROR', 32+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\BirdMENU.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('NOT INSTALLED THIS CORRECT ASK FOR HELP', 0, 'ERROR', 32+16);close()"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 blank-jmock.in udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 blank-3cnp2.in udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 blank-dlw8h.in udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 blank-mljuj.in udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 blank-esslv.in udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 d22073dea53e79d9b824f27ac5e9813e
SHA1 6d8a7281241248431a1571e6ddc55798b01fa961
SHA256 86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6
SHA512 97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

\??\pipe\LOCAL\crashpad_2500_SMJIUXVMPNNPVKQY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bffcefacce25cd03f3d5c9446ddb903d
SHA1 8923f84aa86db316d2f5c122fe3874bbe26f3bab
SHA256 23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405
SHA512 761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3c55c87dcfb7a33acab90185625a8ee2
SHA1 049588c43ef9404da0d7c7a7caba585dd1359947
SHA256 33b8b4a578908883402966d40896a6418c27d01f2b55c3d91c8971415ab220fe
SHA512 e30d58ad982832d197d63156f3406cce5e19a4b93b4f02dcb6aeda3e2a920c6e17b39736c0d355617e79ca8b484867c954105d0837d6e2219f154ee8bc4c5e82

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\Downloads\Unconfirmed 837482.crdownload

MD5 6cc89e555567938c375916be5a733a34
SHA1 c9738eb01a7689218c2f5ebee10357f929873966
SHA256 c056edcf0e88a67acfd746db4e7d1d5c5ee8fed7aa15b48a4ad13a8dca47dcdb
SHA512 4466b9c28a047d7fb46d1f6859ed5d6b966e9f5a98c5af253e65fca62b1200fc3eac8a25abc4730c236a5236b5e43938d6b820b27bd7c5c96e1f6123ee078fa3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2e2f5497235b83939f50078b2b7478f6
SHA1 8902afd8f0479c563e4b402cfdbf6d406d0d6075
SHA256 b1544b80c37d9c89cc6c34ec4b561a9d4e9c9267fb1d1cd623617b69e5b19a26
SHA512 67f6faa9c579af3eed43b6330a7c425bc068b8b0a6cd6ccf9f24fb9f5c7f45f5187b2a1710ca5fe1e7752ed7cdbd321c184a27b521db0810576f0ea373894869

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7d49af88fe750b18f5b7d61060ff8fc1
SHA1 30e9e71606a618f8a0bbe0e491ed1370e8fc7084
SHA256 16ae1c6610b83c20f2f9be05b2b83691465736f07b6f0593ef129943fd197615
SHA512 45b80176d27b1fa5af402011c09009df75a9c57ec290d43aa9bd08bb8eef3432a10c7f9abb468831949a4058c32f8be9406355f4d46036f52798573ed23068cc

C:\Users\Admin\AppData\Local\Temp\_MEI31922\python311.dll

MD5 76eb1ad615ba6600ce747bf1acde6679
SHA1 d3e1318077217372653be3947635b93df68156a4
SHA256 30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1
SHA512 2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb

C:\Users\Admin\AppData\Local\Temp\_MEI31922\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

memory/3576-105-0x00007FF8A50A0000-0x00007FF8A568E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31922\base_library.zip

MD5 cb477acaab29ddd14d6cd729f42430aa
SHA1 2499d1f280827f0fee6ac35db2ddf149e9f549b0
SHA256 1ff28205db0021b6a4f354eb6090fc6f714c6581253f1c21ff12de137f40bed4
SHA512 5c977f327403f9c4080a8df8edbab057dfd27b32f29dd305f740e6465be2ade5c1dc91c10b304d210d89c6114f5ae18756e1be619217b460f00342a940e5be2b

C:\Users\Admin\AppData\Local\Temp\_MEI31922\_ctypes.pyd

MD5 ee2d4cd284d6bad4f207195bf5de727f
SHA1 781344a403bbffa0afb080942cd9459d9b05a348
SHA256 2b5fe7c399441ac2125f50106bc92a2d8f5e2668886c6de79452b82595fc4009
SHA512 a6b3ad33f1900132b2b8ff5b638cbe7725666761fc90d7f76fc835ecd31dfefc48d781b12b1e60779191888931bb167330492599c5fea8afa51e9c0f3d6e8e55

memory/3576-128-0x00007FF8B16B0000-0x00007FF8B16BF000-memory.dmp

memory/3576-110-0x00007FF8A9040000-0x00007FF8A9064000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI31922\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

C:\Users\Admin\AppData\Local\Temp\_MEI31922\_ssl.pyd

MD5 936919f3509b2a913bf9e05723bc7cd2
SHA1 6bf9f1ecfcd71fc1634b2b70fcd567d220b1a6bd
SHA256 efce6dcf57915f23f10c75f6deaf6cb68efe87426caad4747ca908199b1f01e3
SHA512 2b2436e612b6cd60d794f843498fcbf8624a80e932d242592e569e32ec1d40a25d80e2c7e9f8edc7fc0478cef2ec6f77ad6c6ebbddf5afb027263397c91c73c3

C:\Users\Admin\AppData\Local\Temp\_MEI31922\_sqlite3.pyd

MD5 c9d6ffa3798bb5ae9f1b082d66901350
SHA1 25724fecf4369447e77283ece810def499318086
SHA256 410dad8d8b4ccf6f22701a2cdcb1bb5fd10d8efa97a21b1f5c7e1b8afc9f4fec
SHA512 878b10771303cb885039348fc7549338ad2ce609f4df6fff6588b079ab9efb624d6bc31474e806ad2a97785b30877b8241286276f36aab9e50a92cbf11adc448

C:\Users\Admin\AppData\Local\Temp\_MEI31922\_socket.pyd

MD5 3ea95c5c76ea27ca44b7a55f6cfdcf53
SHA1 aace156795cfb6f418b6a68a254bb4adfc2afc56
SHA256 7367f5046980d3a76a6ddefc866b203cbaced9bb17f40ea834aed60bb5b65923
SHA512 916effbe6130a7b6298e1bd62e1e83e9d3defc6a7454b9044d953761b38808140a764ded97dcb1ab9d0fa7f05ae08c707da7af1c15f672a959ad84aa8da114c0

C:\Users\Admin\AppData\Local\Temp\_MEI31922\_queue.pyd

MD5 8b3ba5fb207d27eb3632486b936396a3
SHA1 5ad45b469041d88ec7fd277d84b1e2093ec7f93e
SHA256 9a1e7aaf48e313e55fc4817f1e7f0bfe0a985f30c024dcc8d28d67f8ff87a051
SHA512 18f5a0b1a384e328d07e59a5cefbc25e027adf24f336f5ec923e38064312ea259851167bc6bc0779e2d05cd39ddd8d16a2dfd15751c83ee58fda3b1187edc54b

C:\Users\Admin\AppData\Local\Temp\_MEI31922\_lzma.pyd

MD5 5eee7d45b8d89c291965a153d86592ee
SHA1 93562dcdb10bd93433c7275d991681b299f45660
SHA256 7b5c5221d9db2e275671432f22e4dfca8fe8a07f6374fcfed15d9a3b2fdf07d9
SHA512 0d8f178ff5ef1e87aa4aae41089d063985c11544f85057e3860bcab1235f5ddb1cb582550a482c8b7eb961211fa67777e30b678294258ada27c423070ce8453e

C:\Users\Admin\AppData\Local\Temp\_MEI31922\_hashlib.pyd

MD5 6d2132108825afd85763fc3b8f612b11
SHA1 af64b9b28b505e4eab1b8dd36f0ecf5511cc78a0
SHA256 aba69b3e817bfb164ffc7549c24b68addb1c9b88a970cf87bec99d856049ee52
SHA512 196bcf97034f1767a521d60423cca9d46a6447156f12f3eac5d1060a7fa26ac120c74c3ef1513e8750090d37531d014a48dd17db27fbfbb9c4768aa3aca6d5c0

C:\Users\Admin\AppData\Local\Temp\_MEI31922\_decimal.pyd

MD5 918e513c376a52a1046c4d4aee87042d
SHA1 d54edc813f56c17700252f487ef978bde1e7f7e1
SHA256 f9570f5d214d13446ed47811c7674e1d77c955c60b9fc7247ebcb64a32ae6b29
SHA512 ac2990a644920f07e36e4cb7af81aab82a503e579ce02d5026931631388e2091a52c12e4417e8c747f2af9aa9526b441a3f842387b5be534633c2258beeed497

C:\Users\Admin\AppData\Local\Temp\_MEI31922\_bz2.pyd

MD5 341a6188f375c6702de4f9d0e1de8c08
SHA1 204a508ca6a13eb030ed7953595e9b79b9b9ba3b
SHA256 7039e1f1aef638c8dd8f8a4c55fd337219a4005dca2b557ba040171c27b02a1e
SHA512 5976f053ff865313e3b37b58ca053bc2778df03b8488bb0d47b0e08e1e7ba77ccf731b44335df0cea7428b976768bedc58540e68b54066a48fc4d8042e1d8a24

C:\Users\Admin\AppData\Local\Temp\_MEI31922\unicodedata.pyd

MD5 6279c26d085d1b2efd53e9c3e74d0285
SHA1 bd0d274fb9502406b6b9a5756760b78919fa2518
SHA256 411bfb954b38ec4282d10cecb5115e29bffb0b0204ffe471a4b80777144b00f6
SHA512 30fdeed6380641fbb4d951d290a562c76dd44b59194e86f550a4a819f46a0deb7c7a2d94867cc367c41dcab9efb95628d65fe9a039c0e14a679c149148d82ac9

C:\Users\Admin\AppData\Local\Temp\_MEI31922\sqlite3.dll

MD5 cc9d1869f9305b5a695fc5e76bd57b72
SHA1 c6a28791035e7e10cfae0ab51e9a5a8328ea55c1
SHA256 31cb4332ed49ce9b31500725bc667c427a5f5a2a304595beca14902ba7b7eeee
SHA512 e6c96c7c7665711608a1ba6563b7b4adb71d0bf23326716e34979166de65bc2d93cb85d0cb76475d55fd042da97df978f1423c099ad5fbeeaef8c3d5e0eb7be1

C:\Users\Admin\AppData\Local\Temp\_MEI31922\select.pyd

MD5 2398a631bae547d1d33e91335e6d210b
SHA1 f1f10f901da76323d68a4c9b57f5edfd3baf30f5
SHA256 487fd8034efaf55106e9d04fc5d19fcd3e6449f45bc87a4f69189cd4ebb22435
SHA512 6568982977b8adb6ee04b777a976a2ecc3e4db1dffbd20004003a204eb5dae5980231c76c756d59a5309c2b1456cb63ab7671705a2c2e454c667642beb018c21

C:\Users\Admin\AppData\Local\Temp\_MEI31922\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI31922\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI31922\libssl-3.dll

MD5 6eda5a055b164e5e798429dcd94f5b88
SHA1 2c5494379d1efe6b0a101801e09f10a7cb82dbe9
SHA256 377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8
SHA512 74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

C:\Users\Admin\AppData\Local\Temp\_MEI31922\libcrypto-3.dll

MD5 27515b5bb912701abb4dfad186b1da1f
SHA1 3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411
SHA256 fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a
SHA512 087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

C:\Users\Admin\AppData\Local\Temp\_MEI31922\blank.aes

MD5 5c2b77774d0390efa6e57e09e32fe984
SHA1 9abfb128ece21eb768adfe79b20b3b7b327e11c9
SHA256 0a7ab0e75216294c39a044e5ad2c6162032b6c8d0a94ef3ba9f9eb6f7728cbb3
SHA512 fb9d4c2e375fbdf88af665feb3f8cf7e64ca8311354ffa817022d2ce6b5f54a42aae535a2b60787550039d25b18aed665e6bb937bed47214bcf4102c61cd9bb4

memory/3576-134-0x00007FF8A7120000-0x00007FF8A714D000-memory.dmp

memory/3576-136-0x00007FF8A9070000-0x00007FF8A9089000-memory.dmp

memory/3576-138-0x00007FF8A70F0000-0x00007FF8A7113000-memory.dmp

memory/3576-140-0x00007FF8A4B80000-0x00007FF8A4CF6000-memory.dmp

memory/3576-142-0x00007FF8A70D0000-0x00007FF8A70E9000-memory.dmp

memory/3576-144-0x00007FF8AEB90000-0x00007FF8AEB9D000-memory.dmp

memory/3576-146-0x00007FF8A7090000-0x00007FF8A70C3000-memory.dmp

memory/3576-151-0x00007FF8A6FC0000-0x00007FF8A708D000-memory.dmp

memory/3576-152-0x000001707F940000-0x000001707FE62000-memory.dmp

memory/3576-154-0x00007FF8A9040000-0x00007FF8A9064000-memory.dmp

memory/3576-153-0x00007FF8A3FC0000-0x00007FF8A44E2000-memory.dmp

memory/3576-150-0x00007FF8A50A0000-0x00007FF8A568E000-memory.dmp

memory/3576-170-0x00007FF8A97F0000-0x00007FF8A97FD000-memory.dmp

memory/3576-183-0x00007FF8A4F80000-0x00007FF8A509C000-memory.dmp

memory/3576-189-0x00007FF8A70F0000-0x00007FF8A7113000-memory.dmp

memory/5496-190-0x00007FF8A39D0000-0x00007FF8A3FBE000-memory.dmp

memory/3576-199-0x00007FF8A4B80000-0x00007FF8A4CF6000-memory.dmp

memory/3576-202-0x00007FF8A70D0000-0x00007FF8A70E9000-memory.dmp

memory/5496-201-0x00007FF8A93F0000-0x00007FF8A93FF000-memory.dmp

memory/5496-200-0x00007FF8A4F50000-0x00007FF8A4F74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lc2zklrr.mmh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5796-213-0x0000029DECBF0000-0x0000029DECC12000-memory.dmp

memory/3576-182-0x00007FF8A9070000-0x00007FF8A9089000-memory.dmp

memory/3576-223-0x00007FF8A50A0000-0x00007FF8A568E000-memory.dmp

memory/3576-161-0x00007FF8A6600000-0x00007FF8A6614000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI52962\blank.aes

MD5 8967c091f46d9cf1ed5b2d03d757ae7f
SHA1 2bae3f663b8f736cf594fe7e1c8adea35cd947b1
SHA256 29da8550cce2d32eb6d86fad225fd13e4d82838b44d6d3424d4ef5c9fe2b3446
SHA512 a4b88d62e421632e9076ae3cd8ff4a639257a40c3caebe9e8e0f24b704d3138bed870befdc3e7c9e3f03779a628d112137099b95d5a8478b8e183fab96ad5d01

memory/5496-228-0x00007FF8A2970000-0x00007FF8A299D000-memory.dmp

memory/3576-229-0x00007FF8A7090000-0x00007FF8A70C3000-memory.dmp

memory/3576-231-0x00007FF8A6FC0000-0x00007FF8A708D000-memory.dmp

memory/5496-230-0x00007FF8A2C00000-0x00007FF8A2C19000-memory.dmp

memory/3576-234-0x00007FF8A3FC0000-0x00007FF8A44E2000-memory.dmp

memory/5496-235-0x00007FF89C810000-0x00007FF89C986000-memory.dmp

memory/5496-233-0x00007FF8A1470000-0x00007FF8A1493000-memory.dmp

memory/3576-236-0x00007FF8A6600000-0x00007FF8A6614000-memory.dmp

memory/3576-239-0x00007FF8A97F0000-0x00007FF8A97FD000-memory.dmp

memory/5496-242-0x00007FF8A1020000-0x00007FF8A1053000-memory.dmp

memory/5496-245-0x00007FF89B9B0000-0x00007FF89BA7D000-memory.dmp

memory/5496-244-0x00000200A3320000-0x00000200A3842000-memory.dmp

memory/5496-243-0x00007FF89A2A0000-0x00007FF89A7C2000-memory.dmp

memory/5496-241-0x00007FF8A39D0000-0x00007FF8A3FBE000-memory.dmp

memory/3576-256-0x00007FF8AEB90000-0x00007FF8AEB9D000-memory.dmp

memory/3576-255-0x00007FF8A70D0000-0x00007FF8A70E9000-memory.dmp

memory/5496-265-0x00007FF8B16B0000-0x00007FF8B16BD000-memory.dmp

memory/5496-264-0x00007FF8A4F50000-0x00007FF8A4F74000-memory.dmp

memory/5496-263-0x00007FF8A90C0000-0x00007FF8A90D4000-memory.dmp

memory/3576-254-0x00007FF8A4B80000-0x00007FF8A4CF6000-memory.dmp

memory/3576-253-0x00007FF8A70F0000-0x00007FF8A7113000-memory.dmp

memory/3576-252-0x00007FF8A9070000-0x00007FF8A9089000-memory.dmp

memory/3576-251-0x00007FF8A7120000-0x00007FF8A714D000-memory.dmp

memory/3576-250-0x00007FF8B16B0000-0x00007FF8B16BF000-memory.dmp

memory/3576-249-0x00007FF8A9040000-0x00007FF8A9064000-memory.dmp

memory/3576-240-0x00007FF8A4F80000-0x00007FF8A509C000-memory.dmp

memory/5496-238-0x00007FF8A2960000-0x00007FF8A296D000-memory.dmp

memory/5496-237-0x00007FF8A2A30000-0x00007FF8A2A49000-memory.dmp

memory/5496-266-0x00007FF8A2970000-0x00007FF8A299D000-memory.dmp

memory/5496-267-0x00007FF8A5570000-0x00007FF8A568C000-memory.dmp

memory/3576-232-0x000001707F940000-0x000001707FE62000-memory.dmp

memory/5496-287-0x00007FF8A39D0000-0x00007FF8A3FBE000-memory.dmp

memory/5496-311-0x00007FF8A2960000-0x00007FF8A296D000-memory.dmp

memory/5496-314-0x00007FF89A2A0000-0x00007FF89A7C2000-memory.dmp

memory/5496-315-0x00000200A3320000-0x00000200A3842000-memory.dmp

memory/5496-313-0x00007FF8B16B0000-0x00007FF8B16BD000-memory.dmp

memory/5496-312-0x00007FF8A1020000-0x00007FF8A1053000-memory.dmp

memory/5496-310-0x00007FF8A2A30000-0x00007FF8A2A49000-memory.dmp

memory/5496-309-0x00007FF89B9B0000-0x00007FF89BA7D000-memory.dmp

memory/5496-308-0x00007FF8A2C00000-0x00007FF8A2C19000-memory.dmp

memory/5496-307-0x00007FF8A2970000-0x00007FF8A299D000-memory.dmp

memory/5496-306-0x00007FF8A93F0000-0x00007FF8A93FF000-memory.dmp

memory/5496-305-0x00007FF8A4F50000-0x00007FF8A4F74000-memory.dmp

memory/5496-304-0x00007FF8A1470000-0x00007FF8A1493000-memory.dmp

memory/5496-303-0x00007FF89C810000-0x00007FF89C986000-memory.dmp

memory/5496-302-0x00007FF8A90C0000-0x00007FF8A90D4000-memory.dmp

memory/5496-301-0x00007FF8A5570000-0x00007FF8A568C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e2a64f1cd2ab205ba7d9fe81a5829502
SHA1 1fe1611e4aabcde63f1460484472042ee88a9156
SHA256 ce0120cf25294ce1493940ef47d3cec00536ca5042acac77c55513e59b33d8f5
SHA512 df6cc7023036470c94ec9105d1b246812df11c4ae94b7d52ab7fccc329a87005feabfddb79d8920f49111ecfe07c7bd11c99e19aba3514e3efa641612e128236

memory/4072-357-0x00007FF8B16B0000-0x00007FF8B16BF000-memory.dmp

memory/4072-362-0x00007FF8A70C0000-0x00007FF8A70ED000-memory.dmp

memory/4072-363-0x00007FF8A70A0000-0x00007FF8A70B9000-memory.dmp

memory/4072-364-0x00007FF8A7070000-0x00007FF8A7093000-memory.dmp

memory/4072-365-0x00007FF8A4B80000-0x00007FF8A4CF6000-memory.dmp

memory/4072-366-0x00007FF8A7050000-0x00007FF8A7069000-memory.dmp

memory/4072-367-0x00007FF8AEB90000-0x00007FF8AEB9D000-memory.dmp

memory/4072-368-0x00007FF8A7010000-0x00007FF8A7043000-memory.dmp

memory/4072-371-0x00007FF8A3FC0000-0x00007FF8A44E2000-memory.dmp

memory/4072-372-0x0000016BAFEC0000-0x0000016BB03E2000-memory.dmp

memory/4072-373-0x00007FF8A9040000-0x00007FF8A9064000-memory.dmp

memory/4072-370-0x00007FF8A4FD0000-0x00007FF8A509D000-memory.dmp

memory/4072-369-0x00007FF8A50A0000-0x00007FF8A568E000-memory.dmp

memory/4072-374-0x00007FF8A6FF0000-0x00007FF8A7004000-memory.dmp

memory/4072-377-0x00007FF8A70A0000-0x00007FF8A70B9000-memory.dmp

memory/4072-376-0x00007FF8A97F0000-0x00007FF8A97FD000-memory.dmp

memory/4072-375-0x00007FF8A70C0000-0x00007FF8A70ED000-memory.dmp

memory/4072-378-0x00007FF8A3EA0000-0x00007FF8A3FBC000-memory.dmp

memory/4072-398-0x00007FF8A50A0000-0x00007FF8A568E000-memory.dmp

memory/4072-416-0x00007FF8A70A0000-0x00007FF8A70B9000-memory.dmp

memory/4072-423-0x00007FF8A3FC0000-0x00007FF8A44E2000-memory.dmp

memory/4072-422-0x00007FF8A4FD0000-0x00007FF8A509D000-memory.dmp

memory/4072-421-0x00007FF8A7010000-0x00007FF8A7043000-memory.dmp

memory/4072-420-0x00007FF8AEB90000-0x00007FF8AEB9D000-memory.dmp

memory/4072-419-0x00007FF8A7050000-0x00007FF8A7069000-memory.dmp

memory/4072-418-0x00007FF8A4B80000-0x00007FF8A4CF6000-memory.dmp

memory/4072-417-0x00007FF8A7070000-0x00007FF8A7093000-memory.dmp

memory/4072-415-0x00007FF8A70C0000-0x00007FF8A70ED000-memory.dmp

memory/4072-414-0x00007FF8B16B0000-0x00007FF8B16BF000-memory.dmp

memory/4072-413-0x00007FF8A9040000-0x00007FF8A9064000-memory.dmp

memory/4072-412-0x00007FF8A3EA0000-0x00007FF8A3FBC000-memory.dmp

memory/4072-411-0x00007FF8A97F0000-0x00007FF8A97FD000-memory.dmp

memory/4072-410-0x00007FF8A6FF0000-0x00007FF8A7004000-memory.dmp

memory/5348-473-0x00007FF8A3F00000-0x00007FF8A44EE000-memory.dmp

memory/5348-474-0x00007FF8A70A0000-0x00007FF8A70C4000-memory.dmp

memory/5348-475-0x00007FF8B16B0000-0x00007FF8B16BF000-memory.dmp

memory/5348-480-0x00007FF8A6FA0000-0x00007FF8A6FCD000-memory.dmp

memory/5348-519-0x00007FF8A3F00000-0x00007FF8A44EE000-memory.dmp

memory/5348-533-0x00007FF8A38B0000-0x00007FF8A39CC000-memory.dmp

memory/5348-532-0x00007FF8A97F0000-0x00007FF8A97FD000-memory.dmp

memory/5348-531-0x00007FF8A6E00000-0x00007FF8A6E14000-memory.dmp

memory/6032-612-0x00007FF8A3B10000-0x00007FF8A40FE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 094ab275342c45551894b7940ae9ad0d
SHA1 2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e
SHA256 ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3
SHA512 19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d