Analysis Overview
Threat Level: Known bad
The file https://mega.nz/file/EF5CxB7Q#Ivrmu9gJBFm8mqpFHiacc3n75gtayXptVrTm4k8PbtY was found to be: Known bad.
Malicious Activity Summary
Exelastealer family
Exela Stealer
Grants admin privileges
Modifies Windows Firewall
Clipboard Data
Loads dropped DLL
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Network Service Discovery
Hide Artifacts: Hidden Files and Directories
Enumerates processes with tasklist
UPX packed file
Launches sc.exe
Browser Information Discovery
Permission Groups Discovery: Local Groups
System Network Configuration Discovery: Wi-Fi Discovery
System Network Connections Discovery
Event Triggered Execution: Netsh Helper DLL
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Gathers system information
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Collects information from the system
Suspicious use of SetWindowsHookEx
Kills process with taskkill
Gathers network information
Suspicious use of FindShellTrayWindow
Runs net.exe
Modifies registry class
Detects videocard installed
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-16 17:54
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-16 17:54
Reported
2024-11-16 17:57
Platform
win10v2004-20241007-en
Max time kernel
169s
Max time network
170s
Command Line
Signatures
Exela Stealer
Exelastealer family
Grants admin privileges
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\ARP.EXE | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
System Network Connections Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5c003100000000007059eb8e1000574f52444c497e310000440009000400efbe7059eb8e7059eb8e2e000000fc4202000000070000000000000000000000000000003385820057006f00720064006c006900730074007300000018000000 | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "3" | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/EF5CxB7Q#Ivrmu9gJBFm8mqpFHiacc3n75gtayXptVrTm4k8PbtY
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8e3646f8,0x7ffd8e364708,0x7ffd8e364718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5424 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x384 0x38c
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3068 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6048 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\SilverBullet. v1.1.4.exe
"C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\SilverBullet. v1.1.4.exe"
C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe
"C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe"
C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe
"C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe"
C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe
"C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "gdb --version"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get Manufacturer
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get Manufacturer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4768"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4768
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 436"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 436
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4180"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4180
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5036"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 5036
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1560"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 1560
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5020"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 5020
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3832"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 3832
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2188"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2188
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 928"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 928
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4064"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4064
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2424"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2424
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mega.nz | udp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| LU | 31.216.144.5:443 | mega.nz | tcp |
| US | 8.8.8.8:53 | eu.static.mega.co.nz | udp |
| NL | 66.203.127.13:443 | eu.static.mega.co.nz | tcp |
| NL | 66.203.127.13:443 | eu.static.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.144.216.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.127.203.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| LU | 66.203.125.16:443 | g.api.mega.co.nz | tcp |
| LU | 66.203.125.16:443 | g.api.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 16.125.203.66.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 66.203.127.13:443 | eu.static.mega.co.nz | tcp |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 127.0.0.1:6341 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gfs208n159.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs204n151.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs206n139.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs270n352.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs214n143.userstorage.mega.co.nz | udp |
| US | 8.8.8.8:53 | gfs262n337.userstorage.mega.co.nz | udp |
| BE | 94.24.37.49:443 | gfs206n139.userstorage.mega.co.nz | tcp |
| BE | 94.24.37.49:443 | gfs206n139.userstorage.mega.co.nz | tcp |
| BE | 94.24.37.49:443 | gfs206n139.userstorage.mega.co.nz | tcp |
| BE | 94.24.37.49:443 | gfs206n139.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.62:443 | gfs270n352.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.62:443 | gfs270n352.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.62:443 | gfs270n352.userstorage.mega.co.nz | tcp |
| LU | 89.44.168.62:443 | gfs270n352.userstorage.mega.co.nz | tcp |
| DE | 94.24.36.47:443 | gfs262n337.userstorage.mega.co.nz | tcp |
| DE | 94.24.36.47:443 | gfs262n337.userstorage.mega.co.nz | tcp |
| DE | 94.24.36.47:443 | gfs262n337.userstorage.mega.co.nz | tcp |
| DE | 94.24.36.47:443 | gfs262n337.userstorage.mega.co.nz | tcp |
| ES | 185.206.27.53:443 | gfs214n143.userstorage.mega.co.nz | tcp |
| ES | 185.206.27.53:443 | gfs214n143.userstorage.mega.co.nz | tcp |
| ES | 185.206.27.53:443 | gfs214n143.userstorage.mega.co.nz | tcp |
| ES | 185.206.27.53:443 | gfs214n143.userstorage.mega.co.nz | tcp |
| FR | 185.206.26.69:443 | gfs208n159.userstorage.mega.co.nz | tcp |
| FR | 185.206.26.69:443 | gfs208n159.userstorage.mega.co.nz | tcp |
| FR | 185.206.26.69:443 | gfs208n159.userstorage.mega.co.nz | tcp |
| FR | 185.206.26.69:443 | gfs208n159.userstorage.mega.co.nz | tcp |
| NL | 185.206.24.79:443 | gfs204n151.userstorage.mega.co.nz | tcp |
| NL | 185.206.24.79:443 | gfs204n151.userstorage.mega.co.nz | tcp |
| NL | 185.206.24.79:443 | gfs204n151.userstorage.mega.co.nz | tcp |
| NL | 185.206.24.79:443 | gfs204n151.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 49.37.24.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.168.44.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.36.24.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.26.206.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.24.206.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.27.206.185.in-addr.arpa | udp |
| DE | 94.24.36.47:443 | gfs262n337.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| N/A | 127.0.0.1:64903 | tcp | |
| N/A | 127.0.0.1:64921 | tcp | |
| N/A | 127.0.0.1:64929 | tcp | |
| N/A | 127.0.0.1:64932 | tcp | |
| N/A | 127.0.0.1:64936 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stealer.to | udp |
| US | 104.21.27.3:443 | stealer.to | tcp |
| US | 104.21.27.3:443 | stealer.to | tcp |
| US | 172.67.139.197:443 | stealer.to | tcp |
| US | 8.8.8.8:53 | 3.27.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.139.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | store1.gofile.io | udp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| N/A | 127.0.0.1:65051 | tcp | |
| N/A | 127.0.0.1:65053 | tcp | |
| US | 8.8.8.8:53 | 126.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 104.21.27.3:443 | stealer.to | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c2d9eeb3fdd75834f0ac3f9767de8d6f |
| SHA1 | 4d16a7e82190f8490a00008bd53d85fb92e379b0 |
| SHA256 | 1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66 |
| SHA512 | d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd |
\??\pipe\LOCAL\crashpad_4768_ZSQDOMSESTCQGTQZ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e55832d7cd7e868a2c087c4c73678018 |
| SHA1 | ed7a2f6d6437e907218ffba9128802eaf414a0eb |
| SHA256 | a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574 |
| SHA512 | 897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1cee12b8a8287b0d34b0b324c46a0c43 |
| SHA1 | 08c8e7dd1cc6a8cb49dda1a3c28f1a8bf857f453 |
| SHA256 | 54d5a561f221fc7ea9cf1e2108dddc69765e059acaa4fa916d22762e95e501ca |
| SHA512 | 333a46894489bc6ea91d084c521583b34d0783809eb5fcb0587f663ad6f0a0aff513ed6105476432b05d4eb25679765a1f56ce06333bbcb698475d3ecb685f5c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b75907f266c4af0eb2c7f03f6f4dbfbd |
| SHA1 | d5387a6d095867580be9bf41a8f813b1ec3f0597 |
| SHA256 | ca352bf0ee36db8b5cbd9a0b779816e6f550d292d0347595fc2c77618744b8fd |
| SHA512 | 3ee11495d9aef610d551aeb84bce36fe58e53f2a1a7f86a1c032d97e3229e7b6f7ce49f70e0ec38314aa6cf874d5ea1d5d9edc59f9d37bc88f9434470e5f75f7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c0d37961b316e271a2ed5767ed0908d1 |
| SHA1 | bd2eb1e8c98a0066f97649556f78c1602d4bb4cd |
| SHA256 | 9119acc1151afd0822867ede6506214040c05c014c382dee9fea2c7c600105c0 |
| SHA512 | 3b829b1d6033764544b9af8f1a0ff15ba75f6f8318e02c3bc37fe89d2c34809b6ecc3a1740f81f6471806a21adc06edfe245fd58c58a8306334b81a2a5a88f70 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\00\00000000
| MD5 | fdf9b7231e356baa352ece57c17d034e |
| SHA1 | be5a15a8d798805e326c268ac3605b3aa0d28101 |
| SHA256 | 1883b6a8012cd427ba38b2bd748b77272dcfcecb9565c7c37e0a4b730bcc2677 |
| SHA512 | f60a7d2fbb86ec88f9eeae92d991b53a30a18cc168b62e68a7817eac883cc16a6909e235970b29877e1a50c64cac3e121fb0a030665badbc9b461acba512c4b3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001
| MD5 | 3fd11ff447c1ee23538dc4d9724427a3 |
| SHA1 | 1335e6f71cc4e3cf7025233523b4760f8893e9c9 |
| SHA256 | 720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed |
| SHA512 | 10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 95328cd19caae89b9f9003f716df6d91 |
| SHA1 | 50132076e6cf61ed386fc4e89eeeaaef02ad6184 |
| SHA256 | 69486b1706896158b179b8b9e60369b3ed92fad22c442579f1c3b792f0e9d836 |
| SHA512 | f3a68c0042d92502c56a76fe423521994170766e4e0759a325ded1e9bbfa5d3b6418b68f8dacb366b880e69c4c40c3eb219a0addd66ad20177d782d613cf9427 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
| MD5 | f10900b4f046ae645c24f239fb71be17 |
| SHA1 | a211ffd7ea7fc858f9e0f8b997c315ea960ead25 |
| SHA256 | 9981be5b63eb6faa1e1fa73f8c4f6640bdb4e926b21cd346e12683caf2134c77 |
| SHA512 | c310c2c391c13cb493537dd4d43b7f89e3ed4697f02996e4aee9593a368b80f4e6ef79bac15813108d3aa5a60ba45115c0fb9cb52f15a69fdea6983ac9fb7838 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old~RFe5829f9.TMP
| MD5 | 815886a50df0d01f058f34b4fffc26e8 |
| SHA1 | f5586c49f77a011affba1f0c740c5d406976406b |
| SHA256 | 6cea9f4f1d842eae6e5c962c3b939329e093fedb3e72bd097a128ec1db8f0fe5 |
| SHA512 | e188647a91d8b560cdd0d4eb2dabcb123cfc8c228b0d38746385936bb21b83a44ec1ea853d16c4968b086489c05f47b4ced194424248e95d2e4d1aa912cf3920 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | 08105f9e8088d0c90c49ee86af664242 |
| SHA1 | 28a94b2ccde7e3ffb19dd5545c5b146b1931ae4a |
| SHA256 | 93704d941a2aac2db8d63b6c575b43968003154d6c4da3ab406956ce1ef57cb9 |
| SHA512 | 225b370bcfb853762458ab26f9363f8067b5492681fd48e03ba10181684fcf555f653d7fc1d9b94cb83406ebfecbcec4c651f4b7f32f83ce5caddb6b95818374 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe582db2.TMP
| MD5 | 9db36a3c94293bf1aaa6771ab4e5da25 |
| SHA1 | fa6e22f3064607cf217e1d8b4cd1197d4061fda3 |
| SHA256 | b25ffd894546e079241ded051df7e7eb4b1db454e720d37e1330bfdfe84563a3 |
| SHA512 | 5eaf41c2a1efb4f79d74f0eefae29783af7f45a08ea52d1ea4ec1540b25544e7981e14ccf3fbcd7e9ca33fa147a2c3313f0f31c3f0c2279ad400c0db607dddd0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
| MD5 | 9cf7b5996bdb9f111fb1e7c3b04fb896 |
| SHA1 | 97d1eccfd8faab131b3fc4b3fe2a1ef42568330b |
| SHA256 | 00b94ab1d57c3f4806d5938ac8710a31b2d876d40292b7f1ed3421b8199164d3 |
| SHA512 | a06488c40fa4daf41c7ad1c092f255803753bb1f20e0ce7e2593dfcb80f4fad5ea996522309ccd450fa591dcc610ee418d81f387b4c66112a0941af138a3f1af |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\000003.log
| MD5 | c5042f5fe4c5196eb4a9b2db9b4bc7d8 |
| SHA1 | c529dc7c7214f0f93f4905b5d527a9e42a403f68 |
| SHA256 | 7aee77df126fdb271262a7b723066c3fe4d23b43d0fe53b86059e7e7ccb392a1 |
| SHA512 | 42f677ce924fcb3b6f6d7976204ed346684cf3f7d5999269e26b9ac7adc5c83f929cc2d572f371d39c2fadc37bb95470d652111ee1573eb52578b031ba32129d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
| MD5 | dfd99e83204212f80f7fce79531f1723 |
| SHA1 | 9487be655ce0398517853527e7d09b58f5984234 |
| SHA256 | fbe2e63a89956add8ce279d31f6153b5b87b38f62edef3180ca3f0c4fc295f26 |
| SHA512 | 67131addfabb94598451dffe7333c8761822d631b35d6062230232064a1343804f1e01bb1c276f5a71bccdbbfb4ae9dcdb50cd0c7876d7477206a8164878e66d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old
| MD5 | a9630f2d6f6f68fed3bec628d314b6e4 |
| SHA1 | a671911826329c76a7a48d24968f0ed63893b311 |
| SHA256 | fb550ed3e4093676e88112c30734c9f7ba74722a26f9a8eec12e1026293df3f2 |
| SHA512 | 2f51d8cecd47a07936ab231560cf39c82e06fd3c7c035644ef3e34769ab406cafac4bb6ff0f83fe635ae685d994bb253e05147ac9f6df4d320f667da8fea8a5c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ba73c140ba1a2dfdcf0afbdeefca07ac |
| SHA1 | 30581af9c78960ecc786dc35bc043c3f91385930 |
| SHA256 | 05111f6c9e35853f2973e0375cccf5bde4a2918c461556316fbcea202b4331fa |
| SHA512 | 161cea54c3dafbd7a8534418a68e91abc80c43d49539401e1c2a6830f322a75b24a4b7e96730dfe22718ca236377a03a79e891dc271736a18ceaa65893fe5d69 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8da30adbe1685171a5457bc082f2af79 |
| SHA1 | d83b6fd5d66d3669f49ebf166ab2e38488e257fb |
| SHA256 | 9b537063b571b14e6246a6913b70e6473575ade6eee5640af8bccd538a9fdab0 |
| SHA512 | 09320663b891d3187c63a71275fca9562bb64d9c7cd1032264ac86baa38ece9af70199142bfb6a50765d9eccd5ea0166a972789e9e8bc727ef4f6b14e6ec1933 |
C:\Users\Admin\AppData\Local\Temp\_MEI45242\python310.dll
| MD5 | fc7bd515b12e537a39dc93a09b3eaad6 |
| SHA1 | 96f5d4b0967372553cb106539c5566bc184f6167 |
| SHA256 | 461e008b7cdf034f99a566671b87849772873a175aefec6ed00732976f5c4164 |
| SHA512 | a8433d5b403f898e4eeebd72fce08ebad066ca60aeb0b70e2ae78377babc2acbbae2ac91ab20f813cce4b1dc58c2ad6b3868f18cc8ac0fe7be2bff020eb73122 |
C:\Users\Admin\AppData\Local\Temp\_MEI45242\VCRUNTIME140.dll
| MD5 | 870fea4e961e2fbd00110d3783e529be |
| SHA1 | a948e65c6f73d7da4ffde4e8533c098a00cc7311 |
| SHA256 | 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644 |
| SHA512 | 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88 |
memory/1992-352-0x00000000002C0000-0x0000000000534000-memory.dmp
memory/4632-353-0x00007FFD873B0000-0x00007FFD8781E000-memory.dmp
memory/1992-364-0x00000000056D0000-0x0000000005FFC000-memory.dmp
memory/4632-363-0x00007FFDA1DF0000-0x00007FFDA1DFF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI45242\_uuid.pyd
| MD5 | 59cfd9669367517b384922b2485cb6a7 |
| SHA1 | 1bd44298543204d61d4efd2cd3980ad01071360d |
| SHA256 | e02bfad84786560b624efd56df55c88a4ffbd6c7cfc728bf68b6401aa10f849f |
| SHA512 | d0dd041d8493c7c19db01ea8477981148726796ce2ab58d3193064123319bd5b68fd57871d1db0aaa08d07f78ab96a3d343051c33ffd406e96b921248ea32665 |
C:\Users\Admin\AppData\Local\Temp\_MEI45242\_socket.pyd
| MD5 | 53e72716073038c1dd1db65bfdb1254c |
| SHA1 | 7bf220a02a3b51aa51300b3a9ea7fa48358ca161 |
| SHA256 | e1fb6927ba2ed014d0ac750af0ee0bb3d49487dd6920848937259606e1e92e1d |
| SHA512 | c10d91b6ec82402b0eb05dc31a4703c999f4988e88204b695e009fae5fdcc61e8a6dc4d2879ecf2babc030224048afd2f256b9e7f5c5b6f28762047813be0941 |
memory/4632-387-0x00007FFD9D320000-0x00007FFD9D32D000-memory.dmp
memory/4632-386-0x00007FFD8B5C0000-0x00007FFD8B5D9000-memory.dmp
memory/1992-388-0x00000000052F0000-0x0000000005340000-memory.dmp
memory/1992-392-0x0000000005360000-0x0000000005380000-memory.dmp
memory/1992-395-0x00000000052E0000-0x00000000052E8000-memory.dmp
memory/1992-396-0x0000000005640000-0x00000000056B0000-memory.dmp
memory/1992-400-0x0000000006180000-0x00000000061C4000-memory.dmp
memory/1992-401-0x0000000006250000-0x00000000062CE000-memory.dmp
memory/1992-403-0x0000000005570000-0x000000000557C000-memory.dmp
memory/1992-402-0x0000000006520000-0x000000000676E000-memory.dmp
memory/1992-399-0x0000000006100000-0x0000000006124000-memory.dmp
memory/1992-398-0x0000000005500000-0x000000000551A000-memory.dmp
memory/1992-397-0x0000000005530000-0x0000000005558000-memory.dmp
memory/1992-404-0x0000000006FD0000-0x0000000007488000-memory.dmp
memory/1992-394-0x00000000055A0000-0x0000000005632000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI45242\_bz2.pyd
| MD5 | 6250a28b9d0bfefc1254bd78ece7ae9f |
| SHA1 | 4b07c8e18d23c8ae9d92d7b8d39ae20bc447aecd |
| SHA256 | 7d43f7105aa4f856239235c67f61044493ee6f95ddf04533189bf5ea98073f0b |
| SHA512 | 6d0aa5c3f8f5b268b94341dfdd5afbe48f91f9aac143bf59f7f5e8ba6f54205b85ec527c53498ed8860fdff6a8d08e48ec4e1652eeab2d3c89aaaf3a14fcaaa7 |
memory/1992-393-0x0000000005380000-0x000000000539C000-memory.dmp
memory/4632-412-0x00007FFD86EB0000-0x00007FFD87021000-memory.dmp
memory/4632-411-0x00007FFD88030000-0x00007FFD8804F000-memory.dmp
memory/4632-410-0x00007FFD8B570000-0x00007FFD8B59D000-memory.dmp
memory/4632-414-0x00007FFD88000000-0x00007FFD8802E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI45242\_ssl.pyd
| MD5 | 7e9d95ac47a2284706318656b4f711d3 |
| SHA1 | f085104709201c6e64635aeacf1da51599054e55 |
| SHA256 | 38dcb3d0f217785b39c03d4c949dd1e04b70e9eade8a4ad83f026390684059c9 |
| SHA512 | 294a5148d8fcddabd177b776617da7720d9876ac2a1cdf8dd7b9489f0f719600a634346cdfa07da66588de885b0a64d8cccde4d47edbf6305bd2af44ee209118 |
memory/4632-409-0x00007FFD8B5A0000-0x00007FFD8B5B9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI45242\sqlite3.dll
| MD5 | 6a3a34c9c67efd6c17d44292e8db8fad |
| SHA1 | 339b1e514d60d8370eaec1e2f2b71cead999f970 |
| SHA256 | 7b0e840165d65f0f5285476467e4c154c4d936613966b84948110a4614b9cad9 |
| SHA512 | 6f2a1b670d28762745f0d3b961a331cbbb0dec244f8798734b911b3a3bc9519c73a3b26f1e1117725f6f1e880e57cadb562a1450659bca1aae353f6b9575d7f5 |
C:\Users\Admin\AppData\Local\Temp\_MEI45242\_sqlite3.pyd
| MD5 | e7d68df8f65fbb0298a45519e2336f32 |
| SHA1 | ad3c84ad7eb75a61f287b1ba9fd2801567e39b6d |
| SHA256 | 2473ebaf52723c3751a12117ebbe974e50ecdaeb40b282a12ba4e6aa98492e79 |
| SHA512 | 626204685e9b95310aba51be4a8abaf3b6e152fa35902f64f837303fc4011a4518ee393047ceb45bf377e9d965d169c92bfbb6673475150e159c59b7857ba03e |
C:\Users\Admin\AppData\Local\Temp\_MEI45242\_lzma.pyd
| MD5 | 8edbeeccb6f3dbb09389d99d45db5542 |
| SHA1 | f7e7af2851a5bf22de79a24fe594b5c0435fca8a |
| SHA256 | 90701973be6b23703e495f6a145bae251a7bb066d3c5f398ec42694fd06a069f |
| SHA512 | 2a8bf60f2280b9a947578bd7fd49c3ace8e010a3d4b38e370edb511ea0e125df688bbac369d6a3cec9d285a1fa2ad2dac18a0ef30fda46e49a9440418581e501 |
memory/1992-391-0x0000000005480000-0x00000000054F8000-memory.dmp
memory/1992-390-0x0000000005340000-0x000000000535C000-memory.dmp
memory/1992-389-0x00000000053E0000-0x000000000547E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI45242\select.pyd
| MD5 | 3797a47a60b606e25348c67043874fe8 |
| SHA1 | 63a33fedffd52190236a6acd0fc5d9d491e3ac45 |
| SHA256 | 312e9b01d1632840983e8533d1685a64fb87e4538f724a7a59a71b1ba148bbac |
| SHA512 | 3eb7599825b7b21aaab05e420dd16d4a8eaa21652d232f6e4ede213a232b701401556e44df73cfa20ae855d1adc28304b52d42367b74ebd8e96c2e3d9a9b93e2 |
C:\Users\Admin\AppData\Local\Temp\_MEI45242\_queue.pyd
| MD5 | 5c4c43763fb1a796134aa5734905c891 |
| SHA1 | 44a5e1ae4806406a239129d77888bd87d291a410 |
| SHA256 | 4edc80e7d331ba0e9338431d407157181190f995821d1cd24f7a7aa2422ece0c |
| SHA512 | 07bec7e4a85e76cfab2c21776b50ee2bd0454835fcb43b573dee757eca24cbeb4530784bae07de3be90820cee6d72023d9ded395d4f1a4931971db247dc1a71e |
C:\Users\Admin\AppData\Local\Temp\_MEI45242\_overlapped.pyd
| MD5 | 5c1441f6ee11632183a83dac2d22853b |
| SHA1 | eef732ff4bab9ea5c8fffb6a93c47cfc8e64dae2 |
| SHA256 | 104e0b0e0e9fec9eb6438683296feeba298d5f23b02d2080577fc87ffec67acf |
| SHA512 | e41d3433754a8a3d2c572bb7f3902c0d37cba2e6f3307f0e6dfed316a22b11ef7e52a73c30085fa89fcff603e4b76858abe761217c320e38fa2eb95d1777b595 |
C:\Users\Admin\AppData\Local\Temp\_MEI45242\_multiprocessing.pyd
| MD5 | 4fbc5fd5da9da74c04fe0374387b34d3 |
| SHA1 | 1e9c98db0486f98fb7d8eb9fa57a949494b649b5 |
| SHA256 | b2347790c87052623710382d3178887f68a79618d6da5174909f46b169236950 |
| SHA512 | ce87d4512c2ab7c1ad7986e8e1fe790615ae39c7667d234dfc09026ee7e1518b3bfbf7974612811db0c3e5654b35b54e118e23e624bebe027a51d2c8f2a4652a |
C:\Users\Admin\AppData\Local\Temp\_MEI45242\_hashlib.pyd
| MD5 | 3b5530f497ff7c127383d0029e680c35 |
| SHA1 | fb5dc554bb9ff49622184cc16883a7567115c7ca |
| SHA256 | 5971fcc9758b7f4a12cde2190a323f35a34ab7f97bd8c39cc8f3335223102573 |
| SHA512 | 12ced7ddb0352f8eca3c3cb7c7c2faaf08e617b2dd278d20008051fb6b564b17c3e9ecfa8b0ffe7674154ad533dfbbf1e802accd5e1aef12ece01368da06e85a |
C:\Users\Admin\AppData\Local\Temp\_MEI45242\_decimal.pyd
| MD5 | 20985dc78dbd1992382354af5ca28988 |
| SHA1 | 385a3e7a7654e5e4c686399f3a72b235e941e311 |
| SHA256 | f3620cac68595b8a8495ab044f19a1c89012f50d2fe571b7a1721485f7ff2e43 |
| SHA512 | 61b8ecd2d12b3f785773b98d4bf4af0eb6eb2c61fbea6effb77ec24b2127e888d0ea5fdd8cc298484e0f770d70c87907048fc382faace8e0ca6b49ab106c89f8 |
C:\Users\Admin\AppData\Local\Temp\_MEI45242\_cffi_backend.cp310-win_amd64.pyd
| MD5 | 641e49ce0c4fa963d347fbf915aabdbe |
| SHA1 | 1351f6c4ac5dcda7e3ffbf3d5e355b4bb864eb10 |
| SHA256 | 1c795df278c7f64be8e6973f8dbf1a625997cb39ae2dcb5bee0ca4c1b90c8906 |
| SHA512 | 766b9adb5143e89d663177c2fb0e951afb84c0a43ec690ae2c477ee0bbe036df6f4161a6012430d42e4913fd5fbe7e49af6d13ac7c62d042a484861fc5a04616 |
C:\Users\Admin\AppData\Local\Temp\_MEI45242\_asyncio.pyd
| MD5 | 7d4f9a2b793e021f7e37b8448751ed4e |
| SHA1 | 0ea07b5024501aad5008655cfeae6d96b5da957a |
| SHA256 | 2293c1b6b0b901832a57a1c4dcb1265c9e92d21177195712c30632a7b63227d4 |
| SHA512 | af75452279c308c61c3e222a031a8201e47e8fe44c4e92cb7dab03d56c7e7e3e2a2c589f650c50e0b29e2df175d6f2ff50c8e5e589d17a124bf0a2e0d7886c26 |
C:\Users\Admin\AppData\Local\Temp\_MEI45242\unicodedata.pyd
| MD5 | fed35db31377d515d198e5e446498be2 |
| SHA1 | 62e388d17e17208ea0e881ccd96c75b7b1fbc5f7 |
| SHA256 | af3cdc9a2a1d923be67244429867a3c5c70835249e3573a03b98d08d148fe24b |
| SHA512 | 0985528cb0289086ec895e21a8947e04f732d5660460f2e7fa8668bd441c891438781c808bcea9294f348720e3752c10ea65363371f7e75ea48600d016bab72a |
C:\Users\Admin\AppData\Local\Temp\_MEI45242\libcrypto-1_1.dll
| MD5 | 86cfc84f8407ab1be6cc64a9702882ef |
| SHA1 | 86f3c502ed64df2a5e10b085103c2ffc9e3a4130 |
| SHA256 | 11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307 |
| SHA512 | b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c |
memory/1992-419-0x0000000006BE0000-0x0000000006CB0000-memory.dmp
memory/4632-418-0x00007FFD87F40000-0x00007FFD87FF8000-memory.dmp
memory/4632-417-0x00007FFD86B30000-0x00007FFD86EA5000-memory.dmp
memory/4632-423-0x00007FFD87F20000-0x00007FFD87F35000-memory.dmp
memory/4632-427-0x00007FFDA6790000-0x00007FFDA67A0000-memory.dmp
memory/4632-433-0x00007FFD9D320000-0x00007FFD9D32D000-memory.dmp
memory/1992-436-0x0000000008740000-0x00000000087F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI45242\yarl\_quoting_c.cp310-win_amd64.pyd
| MD5 | c14493cd3cc9b9b5f850b5fadcbe936e |
| SHA1 | eddb260ff89bfa132a479fdf783c67098011fb85 |
| SHA256 | 1782f3c12b3eb01716fcd59b0cd69c02c2fb888db4377f4d5fe00f07986be8e3 |
| SHA512 | 0a7b85322b8fa566fb3d24b8e4021fb64433be06c3c4dbeb06d9633e4af0a5b76252fb2228de0abd818be5f4a18fffc712c727816632dd8c8585c9a9a7bf0fb6 |
memory/4632-442-0x00007FFD87220000-0x00007FFD87242000-memory.dmp
memory/1992-443-0x0000000006B90000-0x0000000006BAE000-memory.dmp
memory/4632-441-0x00007FFD86EB0000-0x00007FFD87021000-memory.dmp
memory/4632-440-0x00007FFD88030000-0x00007FFD8804F000-memory.dmp
memory/4632-437-0x00007FFD87250000-0x00007FFD87368000-memory.dmp
memory/1992-435-0x0000000006D70000-0x0000000006DE6000-memory.dmp
memory/4632-432-0x00007FFD8B5C0000-0x00007FFD8B5D9000-memory.dmp
memory/4632-431-0x00007FFD87370000-0x00007FFD87384000-memory.dmp
memory/4632-430-0x00007FFD87390000-0x00007FFD873A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI45242\multidict\_multidict.cp310-win_amd64.pyd
| MD5 | 58a0ff76a0d7d3cd86ceb599d247c612 |
| SHA1 | af52bdb9556ef4b9d38cf0f0b9283494daa556a6 |
| SHA256 | 2079d8be068f67fb2ece4fb3f5927c91c1c25edecb9d1c480829eb1cd21d7cc5 |
| SHA512 | e2d4f80cdeba2f5749a4d3de542e09866055d8aee1d308b96cb61bc53f4495c781e9b2559cc6a5f160be96b307539a8b6e06cabeffcc0ddb9ad4107dcacd8a76 |
memory/4632-426-0x00007FFD9CA40000-0x00007FFD9CA64000-memory.dmp
memory/4632-422-0x00007FFD873B0000-0x00007FFD8781E000-memory.dmp
memory/1992-420-0x0000000006CB0000-0x0000000006D6A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI45242\libssl-1_1.dll
| MD5 | 6cd33578bc5629930329ca3303f0fae1 |
| SHA1 | f2f8e3248a72f98d27f0cfa0010e32175a18487f |
| SHA256 | 4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0 |
| SHA512 | c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e |
C:\Users\Admin\AppData\Local\Temp\_MEI45242\pyexpat.pyd
| MD5 | 46331749084f98bcfe8631d74c5e038f |
| SHA1 | 5e5510f7a4d03f10d979e0d6a0d2a6f0e53ca347 |
| SHA256 | 21cc4b9ccd69d08d7c1068b1f004ae9454f7ea0a322801860faf0e6f4a24a3df |
| SHA512 | edd39ce2d927fb6700a86db07f4f56cab897ef91a320f3e5ecb542ea1be6888dd27a08008e5fa1df3765b0c82d1046a23c8d59e76d11f4e6449d4d6826879589 |
C:\Users\Admin\AppData\Local\Temp\_MEI45242\libffi-7.dll
| MD5 | d50ebf567149ead9d88933561cb87d09 |
| SHA1 | 171df40e4187ebbfdf9aa1d76a33f769fb8a35ed |
| SHA256 | 6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af |
| SHA512 | 7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de |
memory/4632-362-0x00007FFD9CA40000-0x00007FFD9CA64000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI45242\_ctypes.pyd
| MD5 | 4b90108fabdd64577a84313c765a2946 |
| SHA1 | 245f4628683a3e18bb6f0d1c88aa26fb959ed258 |
| SHA256 | e1b634628839a45ab08913463e07b6b6b7fd502396d768f43b21da2875b506a1 |
| SHA512 | 91fa069d7cf61c57faad6355f6fd46d702576c4342460dadcedfdcbc07cd9d84486734f0561fa5e1e01668b384c3c07dd779b332f77d0bb6fbdbb8c0cb5091bc |
C:\Users\Admin\AppData\Local\Temp\_MEI45242\python3.dll
| MD5 | c17b7a4b853827f538576f4c3521c653 |
| SHA1 | 6115047d02fbbad4ff32afb4ebd439f5d529485a |
| SHA256 | d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68 |
| SHA512 | 8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7 |
C:\Users\Admin\AppData\Local\Temp\_MEI45242\base_library.zip
| MD5 | f5b15ac0a24a122d69c41843da5d463b |
| SHA1 | e25772476631d5b6dd278cb646b93abd282c34ed |
| SHA256 | ec3b8c865c6e3c5e35449b32dcb397da665d6a10fbee61284489a6c420c72a3b |
| SHA512 | 1704611166d63962e14deb6d519c2a7af4f05bca308c1949652fddf89bc526c594ede43a34b9306e5979998576f448951d08ad9e25b6d749d5d46b7d18d133b8 |
memory/1992-453-0x0000000009050000-0x0000000009072000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI45242\aiohttp\_helpers.cp310-win_amd64.pyd
| MD5 | 79dbf6677f21a17c9561eb008cc2a987 |
| SHA1 | 096ef929cd31638cdc3ec18883495e5999efd263 |
| SHA256 | bd1638d83bcc69d9cadc1812d5db298f67d1e1b2831cc7783587c0ac7cf9b595 |
| SHA512 | 2d9d8814f0d69b56a7ff1e9bb4207d00f9259113bc8f3e20211341cffeed117829ba9b80d8c0fb9b2da9fc68910a2be039b0fcf1c7bb0de23efee6644d17e164 |
C:\Users\Admin\AppData\Local\Temp\_MEI45242\aiohttp\_http_writer.cp310-win_amd64.pyd
| MD5 | 878a426eb61ebecdba1016400e8fe60d |
| SHA1 | 7ae2f28199cde86ce2cc382d6a1b87b373940d95 |
| SHA256 | 53fc5a5371a69ec8a700dea681654483c2be301f584d9393789cb5a134ba6aa8 |
| SHA512 | d1297868c9400530733538947603e0c73722600c11dc5ce0d7d8371939a7ac840ac0b574b42d9a9a407c3cfbdd938672f73e5da54aa8317eea4053e66fcd6475 |
memory/4632-458-0x00007FFD87200000-0x00007FFD87217000-memory.dmp
memory/4632-465-0x00007FFD87150000-0x00007FFD8716E000-memory.dmp
memory/1992-466-0x0000000009080000-0x00000000093D4000-memory.dmp
memory/4632-464-0x00007FFD87170000-0x00007FFD87181000-memory.dmp
memory/4632-463-0x00007FFD86B30000-0x00007FFD86EA5000-memory.dmp
memory/4632-467-0x00007FFD87F40000-0x00007FFD87FF8000-memory.dmp
memory/4632-462-0x00007FFD88000000-0x00007FFD8802E000-memory.dmp
memory/4632-461-0x00007FFD9C2B0000-0x00007FFD9C2BA000-memory.dmp
memory/4632-468-0x00007FFD85BA0000-0x00007FFD86295000-memory.dmp
memory/4632-460-0x00007FFD87190000-0x00007FFD871DC000-memory.dmp
memory/4632-459-0x00007FFD871E0000-0x00007FFD871F9000-memory.dmp
memory/4632-471-0x00007FFD87110000-0x00007FFD87148000-memory.dmp
memory/1992-470-0x0000000009A10000-0x0000000009FB4000-memory.dmp
memory/4632-469-0x00007FFD87F20000-0x00007FFD87F35000-memory.dmp
memory/1992-475-0x00000000064F0000-0x00000000064FC000-memory.dmp
memory/1992-479-0x0000000009750000-0x000000000987E000-memory.dmp
memory/1992-480-0x0000000009640000-0x0000000009648000-memory.dmp
memory/1992-481-0x0000000009680000-0x0000000009688000-memory.dmp
memory/1992-482-0x0000000009710000-0x0000000009748000-memory.dmp
memory/1992-483-0x0000000009690000-0x000000000969E000-memory.dmp
memory/1992-485-0x000000000B310000-0x000000000B44E000-memory.dmp
memory/1992-486-0x000000000B6A0000-0x000000000B8EC000-memory.dmp
memory/1992-488-0x0000000009880000-0x00000000098FC000-memory.dmp
memory/1992-491-0x000000000B620000-0x000000000B628000-memory.dmp
memory/4632-501-0x00007FFD87250000-0x00007FFD87368000-memory.dmp
memory/4632-506-0x00007FFD87220000-0x00007FFD87242000-memory.dmp
memory/4632-507-0x00007FFD87190000-0x00007FFD871DC000-memory.dmp
memory/4632-544-0x00007FFD87200000-0x00007FFD87217000-memory.dmp
memory/4632-545-0x00007FFDA2FF0000-0x00007FFDA2FFD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ggbk43vu.kcu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1760-557-0x000001D9FBA30000-0x000001D9FBA52000-memory.dmp
memory/4632-562-0x00007FFD873B0000-0x00007FFD8781E000-memory.dmp
memory/4632-582-0x00007FFD87190000-0x00007FFD871DC000-memory.dmp
memory/4632-588-0x00007FFDA2FF0000-0x00007FFDA2FFD000-memory.dmp
memory/4632-587-0x00007FFD87110000-0x00007FFD87148000-memory.dmp
memory/4632-586-0x00007FFD85BA0000-0x00007FFD86295000-memory.dmp
memory/4632-581-0x00007FFD871E0000-0x00007FFD871F9000-memory.dmp
memory/4632-580-0x00007FFD87200000-0x00007FFD87217000-memory.dmp
memory/4632-579-0x00007FFD87220000-0x00007FFD87242000-memory.dmp
memory/4632-575-0x00007FFDA6790000-0x00007FFDA67A0000-memory.dmp
memory/4632-574-0x00007FFD87F20000-0x00007FFD87F35000-memory.dmp
memory/4632-570-0x00007FFD86EB0000-0x00007FFD87021000-memory.dmp
memory/4632-569-0x00007FFD88030000-0x00007FFD8804F000-memory.dmp
memory/4632-563-0x00007FFD9CA40000-0x00007FFD9CA64000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Configs\CoinbasePasswordSender.svb
| MD5 | 2eb4c6fb0484927f98cbd6d3b7c4ab34 |
| SHA1 | dbc5434472a46e36764a161100e014b2d5499eae |
| SHA256 | aa70a162e3af1a44ba9362dc78544a882826b5dddc19aaf3b870a7c4cc09a36a |
| SHA512 | 630c14a32e6d514abb8e047cae27f193d924e30878512c3c5b189aaaf8e64800e5255abc44850847c66de9cb4a1996eeff39031f6fe086cb8e66c424035192e0 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Configs\HMA VPN KEY AUTO GEN+CHECKER.svb
| MD5 | 651aeaefbdff22ceb5d55e6b2d0df47b |
| SHA1 | e0f7ab217d41f74dfae98f6055015dc9e21857e4 |
| SHA256 | 702741eb3f42ab03c33a7dcf827468528b6b89efb19fe3c4e04c8d01be507a67 |
| SHA512 | ba09a9429968fb662b71d5f3a18bd217b6484741be62799e3583b1a526e436bc82308a89d0d9d638a3b4a9ed602306557ddabc93e305a3ba17bbae13193309c4 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Configs\Nexo Wallet.svb
| MD5 | e2d4a76bd03a2e1b977e236ff59c7c58 |
| SHA1 | 7caa71389249082130180356cf521830120231ee |
| SHA256 | e5d815920777354b78ce091c1bd6379d0977d7ef4ae2b4dc098473deb96829d9 |
| SHA512 | 501fbd2f921914d1e9b026a3c5654324505472d061c629b982f07322bbd5acec219dc04bfaeff1acfe7ad6c10233103e7b4fc7aebc26fb9fb490d153a7540d11 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Configs\Pibridge Wallet.svb
| MD5 | ad0ce0ed022b9700b3b799306a012c52 |
| SHA1 | 4a1adcbbedb45ea9da4783a054257379900ea253 |
| SHA256 | 468ff3d2e427024a0223a41ffb229cc7b11e7ce6b9b52380d91bd79a2385992e |
| SHA512 | 34468532200caa165d34018840655319aa0654425672f065460e2943b5a8721bc8f63d055cb8e90ac3bb7b6940379e13b2fe88e643961a6957613df77514a6da |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Configs\RESTOCKS API (WALLET).svb
| MD5 | 8bbded9f1d9b218251289b486b3a29c6 |
| SHA1 | e5ace282b24891fc4d79cda8d9013142a3c8befe |
| SHA256 | 841c4226b45c1f3aecb4aa099bde2d56959e3f20abfbc14bc9c4072e8db73438 |
| SHA512 | 0872fb581ff7efc4d0b7e99da1ed20ec54074a5fc7138f8b1f8992ec9b28b344ba9f66391c8e951bd0fa81d5585cd2f0b194e1b44f7fd0434a90fe1d27ef73e9 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Configs\Trust Wallet API.svb
| MD5 | 088bd79691133c358f83b50778ee39e7 |
| SHA1 | e361b2325b79cc2bb83520daa2bb36a7840eff05 |
| SHA256 | 771f1d5e3c8710292a3b9cdbbc55c54b8b72a58e4efea4af2a63af17d8409cc3 |
| SHA512 | af4db0dd5d4b0a81c6232d2f8edaa9a8e403546ee69fac67974545c123829db2672073e4138f5d1bbaf06d9eefd32558ca8199db4bad223b096f1fe7e6247d1e |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Configs\VICTORIA SECRET BRUTER.svb
| MD5 | 4470d00f3b5b0b498befc059072c1cba |
| SHA1 | 243e82c1ea0accdcffb38240dac83042a1b8c46b |
| SHA256 | 53f46bd63779c65746064d944443dcbc06969a2aa026b6f24a020cafe488fd8d |
| SHA512 | bf9ba90953289afb27e6c4bd640732501f809c9114163167b4a44d28196a014262a881f00bfdecee8a6a1f48fc4f23cab310dc02a8f4f0ab558117468b6da65a |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Configs\Spotify_Account_Creator.svb
| MD5 | f88846f171ad71cda8d2955751c7cc20 |
| SHA1 | 12fd09e22ff284b8d3f2eae8f5a1de94076b7316 |
| SHA256 | cb0b0402feffcda2e5e66eec58a3c5040e5bffecfb77528d6784962c31eaeb59 |
| SHA512 | 23c8652dcba43b9898631406384f361e2a0ead41310a941059b7fe5dcfd9cc137e3c209c702a208da5767b74d669045de97989e4314ff59994abe75c8c891c92 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Configs\VICTORIA SECRET.svb
| MD5 | 8a950a195ad16bb2393d594dbcc5d27d |
| SHA1 | 03c29afa6d04b4a0e7ed93656781622ef7b963bf |
| SHA256 | 250903667e2a2ec3d2282e7d73c710b792e2e022ef06469d4ebbf55157c56f5e |
| SHA512 | 65acb2500a17a56c24009d71a550ec99c3a0ad52ba8d9974c4f398968abd67c740c0a10e0501745bcccd7b87d23a7772af5237757b78cec72ac865659d495989 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Configs\wallet.pibridge.org.svb
| MD5 | ccb04af03377512ad96fd88c0c57752d |
| SHA1 | 5d80c6f33bdf94d06c03d8f45d35834fe35d0bc5 |
| SHA256 | 1cbe6005dd81fae9c8d43b1a7ddd3aa09391e6b891dbf23a4628646576aa5635 |
| SHA512 | f4cfeae699a21b1da9426604c48191e0c3fc3a3289044fc48e800cf34485c06f8aae3bce33ab7b087cfae2d693745add907cfceddc2cdc2027cfe4067f072819 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\DB\OpenBullet-BackupCopy.db
| MD5 | 624b3c53b63c7f2e80bda47c8fb51098 |
| SHA1 | cd6276cd2d6ad00041c7bb3b6e663af50f9cc584 |
| SHA256 | 8261daa3e6b21588afa7456dade138ef4d4c085ecba4a3c0c3c2132e364fd306 |
| SHA512 | 6be94a98cb8113fd1179b42109b4cdb8b24f54ffdeacf7727661f966906cc953fa574e20e123e700899a36fc172c34e3adafb303b30ae972f8801cd68c8b5b81 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\HideSearch.docx
| MD5 | 97e4c63b78b3084d8d15b9609e8be79c |
| SHA1 | e1b1c2a37f89742dcdaa276e1378794c6ec17355 |
| SHA256 | 59eecf099d977e9110bab7e624fd6c722bc705766039583c0a5311d1e263c3ab |
| SHA512 | 3a1fc1f638013f70c08bc7f343465e3dd5678bd29b2ad60033961648b4ae207b51ac66207779d09aae15e3b3378e3d34a6687b9c61f8cf6f36285bb926635dfd |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\OutBackup.vsw
| MD5 | f4c7e40560ebaeb761923053da2a55d4 |
| SHA1 | fd3111b9a32fa947bf077e76aa3ae4e3d347450c |
| SHA256 | e38436cb4b56d9e734125e6d153d03c0e966928bb042c4eadd7742642b6432ad |
| SHA512 | aca0f04f193b8b4142de0318acd18c3fccad912da283cca052e971da0716350c18c7b8878b83f976db9492afde5f3fe6c1ea16cedd80e2f73775c1fe1a96a045 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\OutExit.jpg
| MD5 | 6314da4582637c4c75f4af4ccf1519d4 |
| SHA1 | baf87f589e8d1fa0f809371a1afc529de076e88f |
| SHA256 | 81cb00afd176bb2ee5d8b22a3f123bc3c3d133b9619f2ece9238898dfa9687d1 |
| SHA512 | e23f39424e9ba264b6c65a58cee16fd13bce6714f97b5e09f0f88bc191c188a2eee2c53db0b2565fa277129eed6639e3a02b70215cbcf79b0c3d1a9e0a8f8057 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\StartShow.txt
| MD5 | 0ab53ee53d5aa6b2744eabea8b4f1a71 |
| SHA1 | b9e21bbdf26d2cc1cf4c6ad494fa63b8b09aaf1b |
| SHA256 | 93aaecc62fc01001447f3916c1033d805631aff858d99e81a15902fa675d8915 |
| SHA512 | de330f1f1af7e23c456bb2840ace20ea1bf9df84a206032777c1859c80ee4af8f9a33dfd522bda74a82b43300cf7ccd851a6f7007e63fa83665479146c228605 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\RegisterReceive.docx
| MD5 | 52c7cd9185f31e47a2e3b19f15845e32 |
| SHA1 | ef256b0d4815caaa96fcc584b580f79c6558bc1b |
| SHA256 | 9f8eefbcc905361b412c53933940643fdbae30de78f8dbba2cea054adf9fcf55 |
| SHA512 | 7de743d56600d2f3abd9ec5a3d7bf1db2554289c1b9cc2eff7ee019d320a42611bb638837120077df1455b58bfbacdff749130ffa1ace8ba924363d1c794851e |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\PingConvertTo.docx
| MD5 | 7e9649ebd5cbb9507dc8bef432f925ef |
| SHA1 | ee66aaa5645964f02d01ad2ca6ce59ce681275bd |
| SHA256 | ca1a28f5abec201171ee4e7853537e76de56bea49bbd058b16c2e4a229e63ab7 |
| SHA512 | 29c1ea5dd91f156cd84d44d46ad43f9f613d89fb6b19a6cbe7453bba77ad6f91969abb53b06ca0824735f3ebcd21429b87bc9690222b3bc845477cf988e5fc75 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\EditRestore.csv
| MD5 | ae2557b137235a024c99db6f7209b9c3 |
| SHA1 | aa61217675fca34b6b8a0a4cd1d69b12cfb3cceb |
| SHA256 | db2f9fa8ecec310dcf8bcd5a8e67cbdb582b6766e845a5ee3a3904fa760766ca |
| SHA512 | bba35e818456424c3afabbccace5a2b9c4788a89423b3943a4d00094f4e3e16c813809b5fe267d6ef7b1b50bbbb977078e37de4879f86d0b978eb6609804ccc3 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\CloseDeny.xlsx
| MD5 | e66d36bb38d306cf86279569f272a158 |
| SHA1 | 096c5e5d3af653264e88839dcb4e8dc43bd23cea |
| SHA256 | c6efcee975f69f60039fb28d550592930ceba8e14d17539e2445ca60249451e2 |
| SHA512 | 563ecfb442f583b795e3baa788c737d9d0b4a070824b1ba66d8573c1bf25877a467ab42e07c468ea840097200956f1fdc477b26e1779618c511671ac11653364 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\SubmitEdit.docx
| MD5 | 3349cb13db51168f986cff4cfd328d64 |
| SHA1 | be4b022b7dc5f2b5dd0d86c336bafc1a111dce57 |
| SHA256 | b2dd500bf34b052c4a48cb40782e4dabfd987888fd81e2d736f34b37ca8fa57d |
| SHA512 | 5eb00c7a9b268ed114c180cecb12ac6377fbf8aa3b9c97cf8f37424db14c5690e2b9dfd05c60d1ae928e6ccc1050c66c47a0ef5669b511cd72df6cf8e19e5108 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\OutSave.docx
| MD5 | 6911cb0f6b3c0b39072965d2f881d4a9 |
| SHA1 | 0b49780273c7fb8b255b5c5a4b22e19cd02944f0 |
| SHA256 | 73d83af84512d3d379757cf06d02fcde1e96b066c39418ef661348a1a00a7f2e |
| SHA512 | de93642a2e0b1fb3ca14080fad91d088d5c8d1dde5c869835481140237e65e627903f8247692e102ab3e7cb54c3d7f8a4586a28c59ce4913f8f8a17131f3f509 |
memory/4632-787-0x00007FFD873B0000-0x00007FFD8781E000-memory.dmp
memory/4632-807-0x00007FFD87190000-0x00007FFD871DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\RestoreSearch.csv
| MD5 | 83c3e91e0792648e59a7a2c044e910b3 |
| SHA1 | 45bba9c756b11bce374d62017472d1ed37f4780a |
| SHA256 | c7b5dbc0dcfb677b4b4a66dfee6744d7e5fde29028e780a718f70f116f8f3293 |
| SHA512 | 27bde127ea53edcf4f140ea4793cc92154d1ccfae1e17340d8ba0a027a582e94f8f15cc12cd5f8c805ff8628d6679a7689920d8c9ef0976e3f4a84327c1071d5 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ResizeInitialize.docx
| MD5 | 74f588760761ccf90da72be376f5152e |
| SHA1 | 38739716168958ac78bddda787cd3d41c715afbe |
| SHA256 | f93799a73698f4ef027e4535ebda8578fbb0432aa57802f19c90c9a6008eed50 |
| SHA512 | bd30c21c33011fcce3892f4f3a75e03df46378eb035f3ebd32357e6a873a79bae4d8fb4776f54e6ef84c6c1096b86ea2fdea4d70c5688bbc21af434eb17aa91d |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\RemoveStart.xlsx
| MD5 | b78ffda1fa43aa28cb43d2c7edd0e00c |
| SHA1 | 15523f9738df57e70881e1ccd90d0f65b5ad3ab5 |
| SHA256 | d5a2b3d09725d9a0ace2715ec4245674712b96738cf913f2f8b03644e8aa17e0 |
| SHA512 | fd27864bbcf5aab62458501c4d64306d171e7bbd3bdfa080144f0ec6cbccf62bb8c910a7d0132ced3dd4d2e0cd9fcf10dfa9ab0a9b6110809898daebe1bc6222 |
memory/4632-806-0x00007FFD871E0000-0x00007FFD871F9000-memory.dmp
memory/4632-804-0x00007FFD87220000-0x00007FFD87242000-memory.dmp
memory/4632-799-0x00007FFD87F20000-0x00007FFD87F35000-memory.dmp
memory/4632-798-0x00007FFD87F40000-0x00007FFD87FF8000-memory.dmp
memory/4632-797-0x00007FFD86B30000-0x00007FFD86EA5000-memory.dmp
memory/4632-796-0x00007FFD88000000-0x00007FFD8802E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\CheckpointCopy.jpg
| MD5 | 2452dd6a1c9f14c59afb61d0235a3c5d |
| SHA1 | ec0ccee326934d977f3967235bc23cbcbc869116 |
| SHA256 | 3cc93eab4941bf3376f9f273a1808863928c7952f7c3aa1f3701ec627230113d |
| SHA512 | 16e64128b3d00f6becfb643cf03b78e52662cbd966eabf1c43e1676f3a68a0773568f14750f3c6d2a41f894469a8d072fee52d10640e3de10650121167598dd0 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\RestoreSet.xlsx
| MD5 | 65ea650bd755de9bece169f8dd06d663 |
| SHA1 | 6d46b4892c76cd7f39a7aa8977bd8c3e2964326d |
| SHA256 | 9327a459d7246216c4f3e2317ca7975ce3f68b6532063d3a32c9ddfa71616d2a |
| SHA512 | cc225a1249bc43341d940f574537a1a290c1c5fc9bdbfef433d8eb2d53bbd51bf5e60ad2731324fad12c6c4adae55690e806741b098879b08dacc0b116d4dce4 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ConvertFromCompare.xls
| MD5 | 5178d6dca1e1d8a34e5a1677d03116b9 |
| SHA1 | 0e1894940a13fae600b380fd89bbeaa133a29879 |
| SHA256 | cb18ce9858910f68e4ceea980e1c04a3ee33ee6d38d81ebdf75b86db1825b8bd |
| SHA512 | 2e9afff1474f5077050ec314d07b7ce8fccb181e04fb4138b60e091d9e820f1bdaca15c58f35f1f0f725031442e61a0acb87db9f95cef1b035de3fe7b0db2bc0 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\RemoveStep.jpg
| MD5 | 64215b68e25fb8a0bebeb1d91e784b7a |
| SHA1 | 281152aa8884bfd91e9440627d58ce2435f6d560 |
| SHA256 | 4eb3e9f84bf5eee0966c03dac16fb5f6ba52ebec9063a59a1b28ee73138e5823 |
| SHA512 | bda6d5712ac0bb3cc86a1f4c069a0aa61bb124f308f34bfaf5a947df790680ec635ae819fd3cd8bf4552833ef7e230d0ee51c14727fd16f27563bbd6a1919232 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\RevokeShow.jpeg
| MD5 | e6b2e64540c5408bf3914ad3a554edfa |
| SHA1 | 44f9d0d666c9826f6f6ee68cf0342dd74decbc49 |
| SHA256 | 145b5c3cc83d942e4c78c6e6ac9472b7822b31b9d28ad3ad2286054c08417392 |
| SHA512 | 35aaadedc9f33fc032a0c8d87b4cc965f1ce42c1dd0e1be9d5215f069318066e20cf3b70e929883a95e7979d5aecbf7009c1c8729eabfbc92ccff057c843ffe8 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\UnprotectGet.xls
| MD5 | 577a4d20bf1117a5dc8220f26ea0a51b |
| SHA1 | 86824dbd6e0461fe3bfb80d6e2c9f6b5909ab50f |
| SHA256 | 626b8a1685c69b86feadfd054686d494a5ed0d714f88d63edb3c8f211a07a5ac |
| SHA512 | d011f47924e480aa50a5b5a25becfbd889a3c321a88e9cefa12d215ac5b9464d58620113043b43de9cacfd7f1aa012152e15a021d1738ae5f9bc76527efc2dc0 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\MeasureProtect.jpg
| MD5 | 82ada01a397e0b78e0e0bccc35476b8c |
| SHA1 | 4c6b57583e07caad4c22e3e5e78d75d9e00b7a09 |
| SHA256 | e24ed92e50254bf59919c3fcf25bf03cc0fc162878255891794df6cb58b15497 |
| SHA512 | c4ee8bd3e486b63d57dd038a58bf2cceed55f4bd4e25b6958f5a7630dbb19c0ed9e96fd72a1dc1459927fd3a141bdcc51d923d1663f0b8a89b53fdef44fb0bd1 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\ReadExport.xls
| MD5 | 7b8f484f58bf0fa81c679c641843d3b8 |
| SHA1 | a639f54abf5536aa3c8accf86b90c2bdf9235518 |
| SHA256 | 96425c8a5ebcdf1aa9331aafe9a566782a150eab0b12cdec543ddf52514df352 |
| SHA512 | 381552a38dfd6a0baa1a28a72c013f491a34e96bea9432ba2ac6023b2d34a0ad7640d91305f4040e924102f1bbe98002d599e615a606e8c3f8f97ebc32183343 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\WatchResolve.xlsx
| MD5 | 7fec23b722300cf16a31dec23fad915b |
| SHA1 | 8ca7e883121bcf6d81b013ebc2022d338fe8b584 |
| SHA256 | 9eebfea4e68e4b61f197255fb9e3c25584a204cbf531695e213f62fcb2f0efc5 |
| SHA512 | 4597a1ff0c9d3f8089956e32b5464114527572f4eebe6e8d86a63884372e5607279aece0073fecfd714715383a3c8f51ce6b87c18c692a6c89257d718f7f3c04 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\SkipUse.png
| MD5 | dc018c8a59c7b6f58f2f40fcd2fbc3b5 |
| SHA1 | be17b0ebca6d8c238645178809a501cb140ab1bc |
| SHA256 | 0ab6385d6c80962b8f68982a3f2839403aaaf660911d8a299aca6361afeb1d32 |
| SHA512 | e7ea043cfa9deb3352fee95c851f59f37f743c283e7690d205a4a498922c377fdf855588cfb8cb9fa2190ecc47c9178e74bb1bcd44aebb0b4b7a7386618251f7 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Wordlists\2985 HOTMAIL ACCESS.txt
| MD5 | 19713b193e36fefc518a4e3eec994e7a |
| SHA1 | a39b7d763b1ab5b9cdc47da758a66e359d4c2e5c |
| SHA256 | e0eb80a9cae2f6229ca4bdbca60d500c1d8190f9a60089d8386cbdfbc8758448 |
| SHA512 | 08b4c0df4b43259797b775dcc1621dc0b12868dfc60af3e62e83ed6adbb4df8e24c050f033ed47e8e2d918aaf61f2150124f092e03af282cb7dc5b94b171c189 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\SilverBullet.v1.1.4\SyntaxHelper.xml
| MD5 | 0a7d014f0d24c2af38e867d859a369da |
| SHA1 | a86612a2b200637c0d4b2e05447469ba2e48f080 |
| SHA256 | 668234ca5e416fe08661762970823e7fc7ed263dfdc85ca0c7cd851301a39954 |
| SHA512 | b9da3ac84c19ce9611a7840bec4a9326576f06b20460d842be1dc1896099bf8f597618d1340d84b64226a1648ba9658fa0c704434236c85a35bfb919e7399002 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\SilverBullet.v1.1.4\Readme.txt
| MD5 | f9a3a6260575112c46525b40d763361d |
| SHA1 | fc20fa1668ecfd1088c39154bc6baf5ff5f4c642 |
| SHA256 | 5011eba80a1fc9b3a384ef8c8f3ae0d7bf5dff9c38de081997f6e5e13a8cfaa2 |
| SHA512 | 8e5b479b4c54607bf3f4dca58654defc1472daff03a155fb2b912284cdd8973d3425a36243c4ad0e21af5f927451f3a992f60ed0088e66870562bb0d07443f15 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\SilverBullet.v1.1.4\Log.txt
| MD5 | 4de9097d526b7b59bf10be4cf6606351 |
| SHA1 | 564e0ef1cb1962e0825d395868bf754b3fb0ab97 |
| SHA256 | 550d31e5be055d556299b10b02591a54f17a56a31709ae9652fb8db45e4a3f1a |
| SHA512 | 2e35d5f6c8e4f64ad5080850f37dc4b5008814d1c7e16b5bda20b3822a8726decba8a4ee297f382fd46851e46880902fef61264524bb903253fbaaa369e2656e |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Settings\Update.txt
| MD5 | 68934a3e9455fa72420237eb05902327 |
| SHA1 | 7cb6efb98ba5972a9b5090dc2e517fe14d12cb04 |
| SHA256 | fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa |
| SHA512 | 719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg
| MD5 | a51464e41d75b2aa2b00ca31ea2ce7eb |
| SHA1 | 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d |
| SHA256 | 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f |
| SHA512 | b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff |
memory/4632-873-0x00007FFD873B0000-0x00007FFD8781E000-memory.dmp
memory/4632-969-0x00007FFD873B0000-0x00007FFD8781E000-memory.dmp
memory/4632-985-0x00007FFD87250000-0x00007FFD87368000-memory.dmp
memory/4632-984-0x00007FFD87370000-0x00007FFD87384000-memory.dmp
memory/4632-983-0x00007FFD87390000-0x00007FFD873A4000-memory.dmp
memory/4632-982-0x00007FFDA6790000-0x00007FFDA67A0000-memory.dmp
memory/4632-981-0x00007FFD87F20000-0x00007FFD87F35000-memory.dmp
memory/4632-980-0x00007FFD87150000-0x00007FFD8716E000-memory.dmp
memory/4632-979-0x00007FFD87F40000-0x00007FFD87FF8000-memory.dmp
memory/4632-978-0x00007FFD88000000-0x00007FFD8802E000-memory.dmp
memory/4632-977-0x00007FFD86EB0000-0x00007FFD87021000-memory.dmp
memory/4632-976-0x00007FFD88030000-0x00007FFD8804F000-memory.dmp
memory/4632-975-0x00007FFD8B570000-0x00007FFD8B59D000-memory.dmp
memory/4632-974-0x00007FFD8B5A0000-0x00007FFD8B5B9000-memory.dmp
memory/4632-973-0x00007FFD9D320000-0x00007FFD9D32D000-memory.dmp
memory/4632-972-0x00007FFD8B5C0000-0x00007FFD8B5D9000-memory.dmp
memory/4632-971-0x00007FFDA1DF0000-0x00007FFDA1DFF000-memory.dmp
memory/4632-970-0x00007FFD9CA40000-0x00007FFD9CA64000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-16 17:54
Reported
2024-11-16 17:56
Platform
win11-20241007-en
Max time kernel
145s
Max time network
141s
Command Line
Signatures
Browser Information Discovery
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/EF5CxB7Q#Ivrmu9gJBFm8mqpFHiacc3n75gtayXptVrTm4k8PbtY
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffda74f3cb8,0x7ffda74f3cc8,0x7ffda74f3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5144 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mega.nz | udp |
| US | 8.8.8.8:53 | mega.nz | udp |
| LU | 31.216.145.5:443 | mega.nz | tcp |
| LU | 31.216.145.5:443 | mega.nz | tcp |
| LU | 89.44.169.134:443 | eu.static.mega.co.nz | tcp |
| LU | 89.44.169.134:443 | eu.static.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.169.44.89.in-addr.arpa | udp |
| LU | 66.203.125.12:443 | g.api.mega.co.nz | tcp |
| LU | 66.203.125.12:443 | g.api.mega.co.nz | tcp |
| LU | 89.44.169.134:443 | eu.static.mega.co.nz | tcp |
| N/A | 127.0.0.1:6341 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 127.0.0.1:6341 | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | a28bb0d36049e72d00393056dce10a26 |
| SHA1 | c753387b64cc15c0efc80084da393acdb4fc01d0 |
| SHA256 | 684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1 |
| SHA512 | 20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7 |
\??\pipe\LOCAL\crashpad_1112_IOZJIABFXSVIKSYC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 554d6d27186fa7d6762d95dde7a17584 |
| SHA1 | 93ea7b20b8fae384cf0be0d65e4295097112fdca |
| SHA256 | 2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb |
| SHA512 | 57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2b693f4aa796df2495764c0a203f9b95 |
| SHA1 | 04d246dfe6cd2376c4c56996dac0d77d58fb6ff4 |
| SHA256 | c470d8443a62cd746f18a3dd0b2424b395cf7a31fe384d38e4b102e373c8dc0c |
| SHA512 | f844cd17d7935350c0439d07d350df5d2a143787cb2a810b13e1e2f14bff6f70a2a678090ef342925678d757af14701837e036405c606d7092f615676a9dd09d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c8994e434ac56aaea0e78a106a52c490 |
| SHA1 | c8d0733e4ce819f71962adaa99b39e01fc8b7e7c |
| SHA256 | de3f082e5b1549c4c727319a5a8a91baaec4222f06065cc4f34e6ecb601b3242 |
| SHA512 | 2a962962f83013490b80139467a898a8e397b4536f64868d7eeb5e8ca80427b7b97055a5d7e59ea48ebed532038fbcabe2bb415e47222153e94bc0c828217a5e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 20cc3c465fef7d067bf0d7488305ce3b |
| SHA1 | f7bee74ccf71d6ddf733cb7122d13b6efcd10668 |
| SHA256 | 274a7b4a202c68494fee11d2aa78eee1d825ac0b761d70a69b8ef4916e48ad61 |
| SHA512 | 0558f5a4fc839d3a38525bae9f95b2b243c52d3d4645be0ead0c11191f7d3c04b7ca67ccc1fd829bcd0e06f15240dbff61b9c7fdc6d72d9d3f70cece7961e0f4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | b1c009fc25769e1fa85ca695d1de4571 |
| SHA1 | 7e4c86ba8c9cc25bcc13a7d48b80990ce11a21d0 |
| SHA256 | be8d50f643a574f2a33d52deec05b3360daf8382ab1e285e549e10b716b002c4 |
| SHA512 | 47ca06d21d21e6ae31019ed9662b0e1dd0c541f8e774a1184e1d4b03c717d0d1dc95a10689ab76a36e6ab6b476a0f489f9351b02a3071c51d3f1ad2496d02a2a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58054a.TMP
| MD5 | fe3ba392ee6f269ec61e168cac21eb97 |
| SHA1 | b8d65a93e3bbdcdef393469b2100fa4b96ed04f5 |
| SHA256 | b351d45e0a7e846cf5c726db75d98547f12f01e30ac17bbabdaffd9735a23d95 |
| SHA512 | 9f7e5a7b126807615a15ee88901dfe9f980c45f85de62b86ee51c201fb1ab5bf9b75742f037c1429f447f980b6b4df3518ea37aa08ecb264d7feff5623c54f5b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | f6b37f52e13a74f1a43cf5cb10f1f152 |
| SHA1 | a71c9c1bbe1f20fec4d88fd5e4e840dc09eac3a7 |
| SHA256 | 8cc75c3d522c6c090e5a6d972e1a4bbdd723c481a7daaba0084560ffa610fd3e |
| SHA512 | cbfc0d94a7fcb959ec38251bbebb46ac167cdcc988be75902b969edcec66c6ba9826b11b00830d40d2180df6d2727c04d8db3b28a8ef09d74a462f30642b7e11 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 008114e1a1a614b35e8a7515da0f3783 |
| SHA1 | 3c390d38126c7328a8d7e4a72d5848ac9f96549b |
| SHA256 | 7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18 |
| SHA512 | a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b |