Malware Analysis Report

2025-03-15 03:46

Sample ID 241116-wgygcavlfl
Target https://mega.nz/file/EF5CxB7Q#Ivrmu9gJBFm8mqpFHiacc3n75gtayXptVrTm4k8PbtY
Tags
exelastealer collection defense_evasion discovery evasion persistence privilege_escalation stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://mega.nz/file/EF5CxB7Q#Ivrmu9gJBFm8mqpFHiacc3n75gtayXptVrTm4k8PbtY was found to be: Known bad.

Malicious Activity Summary

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation stealer upx

Exelastealer family

Exela Stealer

Grants admin privileges

Modifies Windows Firewall

Clipboard Data

Loads dropped DLL

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Network Service Discovery

Hide Artifacts: Hidden Files and Directories

Enumerates processes with tasklist

UPX packed file

Launches sc.exe

Browser Information Discovery

Permission Groups Discovery: Local Groups

System Network Configuration Discovery: Wi-Fi Discovery

System Network Connections Discovery

Event Triggered Execution: Netsh Helper DLL

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Gathers system information

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Collects information from the system

Suspicious use of SetWindowsHookEx

Kills process with taskkill

Gathers network information

Suspicious use of FindShellTrayWindow

Runs net.exe

Modifies registry class

Detects videocard installed

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-16 17:54

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-16 17:54

Reported

2024-11-16 17:57

Platform

win10v2004-20241007-en

Max time kernel

169s

Max time network

170s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/EF5CxB7Q#Ivrmu9gJBFm8mqpFHiacc3n75gtayXptVrTm4k8PbtY

Signatures

Exela Stealer

stealer exelastealer

Exelastealer family

exelastealer

Grants admin privileges

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A
N/A N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\ARP.EXE N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

System Network Connections Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5c003100000000007059eb8e1000574f52444c497e310000440009000400efbe7059eb8e7059eb8e2e000000fc4202000000070000000000000000000000000000003385820057006f00720064006c006900730074007300000018000000 C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "3" C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4768 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 436 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 4180 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 5036 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4768 wrote to memory of 1560 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/EF5CxB7Q#Ivrmu9gJBFm8mqpFHiacc3n75gtayXptVrTm4k8PbtY

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8e3646f8,0x7ffd8e364708,0x7ffd8e364718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5424 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x384 0x38c

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3068 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,6052673225507975021,331544440489792569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6048 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\SilverBullet. v1.1.4.exe

"C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\SilverBullet. v1.1.4.exe"

C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe

"C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\LSSetup.xml.exe"

C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe

"C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe"

C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe

"C:\Users\Admin\Downloads\SilverBullet.v1.1.4\SilverBullet.v1.1.4\Config.setup.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "gdb --version"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get Manufacturer

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get Manufacturer

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4768"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 4768

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 436"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 436

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4180"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 4180

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5036"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 5036

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1560"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 1560

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5020"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 5020

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3832"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 3832

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2188"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 2188

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 928"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 928

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4064"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 4064

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2424"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 2424

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Clipboard

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 mega.nz udp
LU 31.216.144.5:443 mega.nz tcp
LU 31.216.144.5:443 mega.nz tcp
US 8.8.8.8:53 eu.static.mega.co.nz udp
NL 66.203.127.13:443 eu.static.mega.co.nz tcp
NL 66.203.127.13:443 eu.static.mega.co.nz tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 5.144.216.31.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.127.203.66.in-addr.arpa udp
US 8.8.8.8:53 g.api.mega.co.nz udp
LU 66.203.125.16:443 g.api.mega.co.nz tcp
LU 66.203.125.16:443 g.api.mega.co.nz tcp
US 8.8.8.8:53 16.125.203.66.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
NL 66.203.127.13:443 eu.static.mega.co.nz tcp
N/A 127.0.0.1:6341 tcp
N/A 127.0.0.1:6341 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 gfs208n159.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs204n151.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs206n139.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs270n352.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs214n143.userstorage.mega.co.nz udp
US 8.8.8.8:53 gfs262n337.userstorage.mega.co.nz udp
BE 94.24.37.49:443 gfs206n139.userstorage.mega.co.nz tcp
BE 94.24.37.49:443 gfs206n139.userstorage.mega.co.nz tcp
BE 94.24.37.49:443 gfs206n139.userstorage.mega.co.nz tcp
BE 94.24.37.49:443 gfs206n139.userstorage.mega.co.nz tcp
LU 89.44.168.62:443 gfs270n352.userstorage.mega.co.nz tcp
LU 89.44.168.62:443 gfs270n352.userstorage.mega.co.nz tcp
LU 89.44.168.62:443 gfs270n352.userstorage.mega.co.nz tcp
LU 89.44.168.62:443 gfs270n352.userstorage.mega.co.nz tcp
DE 94.24.36.47:443 gfs262n337.userstorage.mega.co.nz tcp
DE 94.24.36.47:443 gfs262n337.userstorage.mega.co.nz tcp
DE 94.24.36.47:443 gfs262n337.userstorage.mega.co.nz tcp
DE 94.24.36.47:443 gfs262n337.userstorage.mega.co.nz tcp
ES 185.206.27.53:443 gfs214n143.userstorage.mega.co.nz tcp
ES 185.206.27.53:443 gfs214n143.userstorage.mega.co.nz tcp
ES 185.206.27.53:443 gfs214n143.userstorage.mega.co.nz tcp
ES 185.206.27.53:443 gfs214n143.userstorage.mega.co.nz tcp
FR 185.206.26.69:443 gfs208n159.userstorage.mega.co.nz tcp
FR 185.206.26.69:443 gfs208n159.userstorage.mega.co.nz tcp
FR 185.206.26.69:443 gfs208n159.userstorage.mega.co.nz tcp
FR 185.206.26.69:443 gfs208n159.userstorage.mega.co.nz tcp
NL 185.206.24.79:443 gfs204n151.userstorage.mega.co.nz tcp
NL 185.206.24.79:443 gfs204n151.userstorage.mega.co.nz tcp
NL 185.206.24.79:443 gfs204n151.userstorage.mega.co.nz tcp
NL 185.206.24.79:443 gfs204n151.userstorage.mega.co.nz tcp
US 8.8.8.8:53 49.37.24.94.in-addr.arpa udp
US 8.8.8.8:53 62.168.44.89.in-addr.arpa udp
US 8.8.8.8:53 47.36.24.94.in-addr.arpa udp
US 8.8.8.8:53 69.26.206.185.in-addr.arpa udp
US 8.8.8.8:53 79.24.206.185.in-addr.arpa udp
US 8.8.8.8:53 53.27.206.185.in-addr.arpa udp
DE 94.24.36.47:443 gfs262n337.userstorage.mega.co.nz tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 api.github.com udp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
N/A 127.0.0.1:64903 tcp
N/A 127.0.0.1:64921 tcp
N/A 127.0.0.1:64929 tcp
N/A 127.0.0.1:64932 tcp
N/A 127.0.0.1:64936 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 stealer.to udp
US 104.21.27.3:443 stealer.to tcp
US 104.21.27.3:443 stealer.to tcp
US 172.67.139.197:443 stealer.to tcp
US 8.8.8.8:53 3.27.21.104.in-addr.arpa udp
US 8.8.8.8:53 197.139.67.172.in-addr.arpa udp
US 8.8.8.8:53 api.gofile.io udp
FR 45.112.123.126:443 api.gofile.io tcp
US 8.8.8.8:53 store1.gofile.io udp
FR 45.112.123.227:443 store1.gofile.io tcp
N/A 127.0.0.1:65051 tcp
N/A 127.0.0.1:65053 tcp
US 8.8.8.8:53 126.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 227.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 104.21.27.3:443 stealer.to tcp
GB 20.26.156.210:443 api.github.com tcp
GB 20.26.156.210:443 api.github.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c2d9eeb3fdd75834f0ac3f9767de8d6f
SHA1 4d16a7e82190f8490a00008bd53d85fb92e379b0
SHA256 1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66
SHA512 d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

\??\pipe\LOCAL\crashpad_4768_ZSQDOMSESTCQGTQZ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e55832d7cd7e868a2c087c4c73678018
SHA1 ed7a2f6d6437e907218ffba9128802eaf414a0eb
SHA256 a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574
SHA512 897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1cee12b8a8287b0d34b0b324c46a0c43
SHA1 08c8e7dd1cc6a8cb49dda1a3c28f1a8bf857f453
SHA256 54d5a561f221fc7ea9cf1e2108dddc69765e059acaa4fa916d22762e95e501ca
SHA512 333a46894489bc6ea91d084c521583b34d0783809eb5fcb0587f663ad6f0a0aff513ed6105476432b05d4eb25679765a1f56ce06333bbcb698475d3ecb685f5c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b75907f266c4af0eb2c7f03f6f4dbfbd
SHA1 d5387a6d095867580be9bf41a8f813b1ec3f0597
SHA256 ca352bf0ee36db8b5cbd9a0b779816e6f550d292d0347595fc2c77618744b8fd
SHA512 3ee11495d9aef610d551aeb84bce36fe58e53f2a1a7f86a1c032d97e3229e7b6f7ce49f70e0ec38314aa6cf874d5ea1d5d9edc59f9d37bc88f9434470e5f75f7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c0d37961b316e271a2ed5767ed0908d1
SHA1 bd2eb1e8c98a0066f97649556f78c1602d4bb4cd
SHA256 9119acc1151afd0822867ede6506214040c05c014c382dee9fea2c7c600105c0
SHA512 3b829b1d6033764544b9af8f1a0ff15ba75f6f8318e02c3bc37fe89d2c34809b6ecc3a1740f81f6471806a21adc06edfe245fd58c58a8306334b81a2a5a88f70

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\00\00000000

MD5 fdf9b7231e356baa352ece57c17d034e
SHA1 be5a15a8d798805e326c268ac3605b3aa0d28101
SHA256 1883b6a8012cd427ba38b2bd748b77272dcfcecb9565c7c37e0a4b730bcc2677
SHA512 f60a7d2fbb86ec88f9eeae92d991b53a30a18cc168b62e68a7817eac883cc16a6909e235970b29877e1a50c64cac3e121fb0a030665badbc9b461acba512c4b3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001

MD5 3fd11ff447c1ee23538dc4d9724427a3
SHA1 1335e6f71cc4e3cf7025233523b4760f8893e9c9
SHA256 720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed
SHA512 10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 95328cd19caae89b9f9003f716df6d91
SHA1 50132076e6cf61ed386fc4e89eeeaaef02ad6184
SHA256 69486b1706896158b179b8b9e60369b3ed92fad22c442579f1c3b792f0e9d836
SHA512 f3a68c0042d92502c56a76fe423521994170766e4e0759a325ded1e9bbfa5d3b6418b68f8dacb366b880e69c4c40c3eb219a0addd66ad20177d782d613cf9427

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

MD5 f10900b4f046ae645c24f239fb71be17
SHA1 a211ffd7ea7fc858f9e0f8b997c315ea960ead25
SHA256 9981be5b63eb6faa1e1fa73f8c4f6640bdb4e926b21cd346e12683caf2134c77
SHA512 c310c2c391c13cb493537dd4d43b7f89e3ed4697f02996e4aee9593a368b80f4e6ef79bac15813108d3aa5a60ba45115c0fb9cb52f15a69fdea6983ac9fb7838

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old~RFe5829f9.TMP

MD5 815886a50df0d01f058f34b4fffc26e8
SHA1 f5586c49f77a011affba1f0c740c5d406976406b
SHA256 6cea9f4f1d842eae6e5c962c3b939329e093fedb3e72bd097a128ec1db8f0fe5
SHA512 e188647a91d8b560cdd0d4eb2dabcb123cfc8c228b0d38746385936bb21b83a44ec1ea853d16c4968b086489c05f47b4ced194424248e95d2e4d1aa912cf3920

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 08105f9e8088d0c90c49ee86af664242
SHA1 28a94b2ccde7e3ffb19dd5545c5b146b1931ae4a
SHA256 93704d941a2aac2db8d63b6c575b43968003154d6c4da3ab406956ce1ef57cb9
SHA512 225b370bcfb853762458ab26f9363f8067b5492681fd48e03ba10181684fcf555f653d7fc1d9b94cb83406ebfecbcec4c651f4b7f32f83ce5caddb6b95818374

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe582db2.TMP

MD5 9db36a3c94293bf1aaa6771ab4e5da25
SHA1 fa6e22f3064607cf217e1d8b4cd1197d4061fda3
SHA256 b25ffd894546e079241ded051df7e7eb4b1db454e720d37e1330bfdfe84563a3
SHA512 5eaf41c2a1efb4f79d74f0eefae29783af7f45a08ea52d1ea4ec1540b25544e7981e14ccf3fbcd7e9ca33fa147a2c3313f0f31c3f0c2279ad400c0db607dddd0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

MD5 9cf7b5996bdb9f111fb1e7c3b04fb896
SHA1 97d1eccfd8faab131b3fc4b3fe2a1ef42568330b
SHA256 00b94ab1d57c3f4806d5938ac8710a31b2d876d40292b7f1ed3421b8199164d3
SHA512 a06488c40fa4daf41c7ad1c092f255803753bb1f20e0ce7e2593dfcb80f4fad5ea996522309ccd450fa591dcc610ee418d81f387b4c66112a0941af138a3f1af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\000003.log

MD5 c5042f5fe4c5196eb4a9b2db9b4bc7d8
SHA1 c529dc7c7214f0f93f4905b5d527a9e42a403f68
SHA256 7aee77df126fdb271262a7b723066c3fe4d23b43d0fe53b86059e7e7ccb392a1
SHA512 42f677ce924fcb3b6f6d7976204ed346684cf3f7d5999269e26b9ac7adc5c83f929cc2d572f371d39c2fadc37bb95470d652111ee1573eb52578b031ba32129d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

MD5 dfd99e83204212f80f7fce79531f1723
SHA1 9487be655ce0398517853527e7d09b58f5984234
SHA256 fbe2e63a89956add8ce279d31f6153b5b87b38f62edef3180ca3f0c4fc295f26
SHA512 67131addfabb94598451dffe7333c8761822d631b35d6062230232064a1343804f1e01bb1c276f5a71bccdbbfb4ae9dcdb50cd0c7876d7477206a8164878e66d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\LOG.old

MD5 a9630f2d6f6f68fed3bec628d314b6e4
SHA1 a671911826329c76a7a48d24968f0ed63893b311
SHA256 fb550ed3e4093676e88112c30734c9f7ba74722a26f9a8eec12e1026293df3f2
SHA512 2f51d8cecd47a07936ab231560cf39c82e06fd3c7c035644ef3e34769ab406cafac4bb6ff0f83fe635ae685d994bb253e05147ac9f6df4d320f667da8fea8a5c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ba73c140ba1a2dfdcf0afbdeefca07ac
SHA1 30581af9c78960ecc786dc35bc043c3f91385930
SHA256 05111f6c9e35853f2973e0375cccf5bde4a2918c461556316fbcea202b4331fa
SHA512 161cea54c3dafbd7a8534418a68e91abc80c43d49539401e1c2a6830f322a75b24a4b7e96730dfe22718ca236377a03a79e891dc271736a18ceaa65893fe5d69

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8da30adbe1685171a5457bc082f2af79
SHA1 d83b6fd5d66d3669f49ebf166ab2e38488e257fb
SHA256 9b537063b571b14e6246a6913b70e6473575ade6eee5640af8bccd538a9fdab0
SHA512 09320663b891d3187c63a71275fca9562bb64d9c7cd1032264ac86baa38ece9af70199142bfb6a50765d9eccd5ea0166a972789e9e8bc727ef4f6b14e6ec1933

C:\Users\Admin\AppData\Local\Temp\_MEI45242\python310.dll

MD5 fc7bd515b12e537a39dc93a09b3eaad6
SHA1 96f5d4b0967372553cb106539c5566bc184f6167
SHA256 461e008b7cdf034f99a566671b87849772873a175aefec6ed00732976f5c4164
SHA512 a8433d5b403f898e4eeebd72fce08ebad066ca60aeb0b70e2ae78377babc2acbbae2ac91ab20f813cce4b1dc58c2ad6b3868f18cc8ac0fe7be2bff020eb73122

C:\Users\Admin\AppData\Local\Temp\_MEI45242\VCRUNTIME140.dll

MD5 870fea4e961e2fbd00110d3783e529be
SHA1 a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA256 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA512 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

memory/1992-352-0x00000000002C0000-0x0000000000534000-memory.dmp

memory/4632-353-0x00007FFD873B0000-0x00007FFD8781E000-memory.dmp

memory/1992-364-0x00000000056D0000-0x0000000005FFC000-memory.dmp

memory/4632-363-0x00007FFDA1DF0000-0x00007FFDA1DFF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI45242\_uuid.pyd

MD5 59cfd9669367517b384922b2485cb6a7
SHA1 1bd44298543204d61d4efd2cd3980ad01071360d
SHA256 e02bfad84786560b624efd56df55c88a4ffbd6c7cfc728bf68b6401aa10f849f
SHA512 d0dd041d8493c7c19db01ea8477981148726796ce2ab58d3193064123319bd5b68fd57871d1db0aaa08d07f78ab96a3d343051c33ffd406e96b921248ea32665

C:\Users\Admin\AppData\Local\Temp\_MEI45242\_socket.pyd

MD5 53e72716073038c1dd1db65bfdb1254c
SHA1 7bf220a02a3b51aa51300b3a9ea7fa48358ca161
SHA256 e1fb6927ba2ed014d0ac750af0ee0bb3d49487dd6920848937259606e1e92e1d
SHA512 c10d91b6ec82402b0eb05dc31a4703c999f4988e88204b695e009fae5fdcc61e8a6dc4d2879ecf2babc030224048afd2f256b9e7f5c5b6f28762047813be0941

memory/4632-387-0x00007FFD9D320000-0x00007FFD9D32D000-memory.dmp

memory/4632-386-0x00007FFD8B5C0000-0x00007FFD8B5D9000-memory.dmp

memory/1992-388-0x00000000052F0000-0x0000000005340000-memory.dmp

memory/1992-392-0x0000000005360000-0x0000000005380000-memory.dmp

memory/1992-395-0x00000000052E0000-0x00000000052E8000-memory.dmp

memory/1992-396-0x0000000005640000-0x00000000056B0000-memory.dmp

memory/1992-400-0x0000000006180000-0x00000000061C4000-memory.dmp

memory/1992-401-0x0000000006250000-0x00000000062CE000-memory.dmp

memory/1992-403-0x0000000005570000-0x000000000557C000-memory.dmp

memory/1992-402-0x0000000006520000-0x000000000676E000-memory.dmp

memory/1992-399-0x0000000006100000-0x0000000006124000-memory.dmp

memory/1992-398-0x0000000005500000-0x000000000551A000-memory.dmp

memory/1992-397-0x0000000005530000-0x0000000005558000-memory.dmp

memory/1992-404-0x0000000006FD0000-0x0000000007488000-memory.dmp

memory/1992-394-0x00000000055A0000-0x0000000005632000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI45242\_bz2.pyd

MD5 6250a28b9d0bfefc1254bd78ece7ae9f
SHA1 4b07c8e18d23c8ae9d92d7b8d39ae20bc447aecd
SHA256 7d43f7105aa4f856239235c67f61044493ee6f95ddf04533189bf5ea98073f0b
SHA512 6d0aa5c3f8f5b268b94341dfdd5afbe48f91f9aac143bf59f7f5e8ba6f54205b85ec527c53498ed8860fdff6a8d08e48ec4e1652eeab2d3c89aaaf3a14fcaaa7

memory/1992-393-0x0000000005380000-0x000000000539C000-memory.dmp

memory/4632-412-0x00007FFD86EB0000-0x00007FFD87021000-memory.dmp

memory/4632-411-0x00007FFD88030000-0x00007FFD8804F000-memory.dmp

memory/4632-410-0x00007FFD8B570000-0x00007FFD8B59D000-memory.dmp

memory/4632-414-0x00007FFD88000000-0x00007FFD8802E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI45242\_ssl.pyd

MD5 7e9d95ac47a2284706318656b4f711d3
SHA1 f085104709201c6e64635aeacf1da51599054e55
SHA256 38dcb3d0f217785b39c03d4c949dd1e04b70e9eade8a4ad83f026390684059c9
SHA512 294a5148d8fcddabd177b776617da7720d9876ac2a1cdf8dd7b9489f0f719600a634346cdfa07da66588de885b0a64d8cccde4d47edbf6305bd2af44ee209118

memory/4632-409-0x00007FFD8B5A0000-0x00007FFD8B5B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI45242\sqlite3.dll

MD5 6a3a34c9c67efd6c17d44292e8db8fad
SHA1 339b1e514d60d8370eaec1e2f2b71cead999f970
SHA256 7b0e840165d65f0f5285476467e4c154c4d936613966b84948110a4614b9cad9
SHA512 6f2a1b670d28762745f0d3b961a331cbbb0dec244f8798734b911b3a3bc9519c73a3b26f1e1117725f6f1e880e57cadb562a1450659bca1aae353f6b9575d7f5

C:\Users\Admin\AppData\Local\Temp\_MEI45242\_sqlite3.pyd

MD5 e7d68df8f65fbb0298a45519e2336f32
SHA1 ad3c84ad7eb75a61f287b1ba9fd2801567e39b6d
SHA256 2473ebaf52723c3751a12117ebbe974e50ecdaeb40b282a12ba4e6aa98492e79
SHA512 626204685e9b95310aba51be4a8abaf3b6e152fa35902f64f837303fc4011a4518ee393047ceb45bf377e9d965d169c92bfbb6673475150e159c59b7857ba03e

C:\Users\Admin\AppData\Local\Temp\_MEI45242\_lzma.pyd

MD5 8edbeeccb6f3dbb09389d99d45db5542
SHA1 f7e7af2851a5bf22de79a24fe594b5c0435fca8a
SHA256 90701973be6b23703e495f6a145bae251a7bb066d3c5f398ec42694fd06a069f
SHA512 2a8bf60f2280b9a947578bd7fd49c3ace8e010a3d4b38e370edb511ea0e125df688bbac369d6a3cec9d285a1fa2ad2dac18a0ef30fda46e49a9440418581e501

memory/1992-391-0x0000000005480000-0x00000000054F8000-memory.dmp

memory/1992-390-0x0000000005340000-0x000000000535C000-memory.dmp

memory/1992-389-0x00000000053E0000-0x000000000547E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI45242\select.pyd

MD5 3797a47a60b606e25348c67043874fe8
SHA1 63a33fedffd52190236a6acd0fc5d9d491e3ac45
SHA256 312e9b01d1632840983e8533d1685a64fb87e4538f724a7a59a71b1ba148bbac
SHA512 3eb7599825b7b21aaab05e420dd16d4a8eaa21652d232f6e4ede213a232b701401556e44df73cfa20ae855d1adc28304b52d42367b74ebd8e96c2e3d9a9b93e2

C:\Users\Admin\AppData\Local\Temp\_MEI45242\_queue.pyd

MD5 5c4c43763fb1a796134aa5734905c891
SHA1 44a5e1ae4806406a239129d77888bd87d291a410
SHA256 4edc80e7d331ba0e9338431d407157181190f995821d1cd24f7a7aa2422ece0c
SHA512 07bec7e4a85e76cfab2c21776b50ee2bd0454835fcb43b573dee757eca24cbeb4530784bae07de3be90820cee6d72023d9ded395d4f1a4931971db247dc1a71e

C:\Users\Admin\AppData\Local\Temp\_MEI45242\_overlapped.pyd

MD5 5c1441f6ee11632183a83dac2d22853b
SHA1 eef732ff4bab9ea5c8fffb6a93c47cfc8e64dae2
SHA256 104e0b0e0e9fec9eb6438683296feeba298d5f23b02d2080577fc87ffec67acf
SHA512 e41d3433754a8a3d2c572bb7f3902c0d37cba2e6f3307f0e6dfed316a22b11ef7e52a73c30085fa89fcff603e4b76858abe761217c320e38fa2eb95d1777b595

C:\Users\Admin\AppData\Local\Temp\_MEI45242\_multiprocessing.pyd

MD5 4fbc5fd5da9da74c04fe0374387b34d3
SHA1 1e9c98db0486f98fb7d8eb9fa57a949494b649b5
SHA256 b2347790c87052623710382d3178887f68a79618d6da5174909f46b169236950
SHA512 ce87d4512c2ab7c1ad7986e8e1fe790615ae39c7667d234dfc09026ee7e1518b3bfbf7974612811db0c3e5654b35b54e118e23e624bebe027a51d2c8f2a4652a

C:\Users\Admin\AppData\Local\Temp\_MEI45242\_hashlib.pyd

MD5 3b5530f497ff7c127383d0029e680c35
SHA1 fb5dc554bb9ff49622184cc16883a7567115c7ca
SHA256 5971fcc9758b7f4a12cde2190a323f35a34ab7f97bd8c39cc8f3335223102573
SHA512 12ced7ddb0352f8eca3c3cb7c7c2faaf08e617b2dd278d20008051fb6b564b17c3e9ecfa8b0ffe7674154ad533dfbbf1e802accd5e1aef12ece01368da06e85a

C:\Users\Admin\AppData\Local\Temp\_MEI45242\_decimal.pyd

MD5 20985dc78dbd1992382354af5ca28988
SHA1 385a3e7a7654e5e4c686399f3a72b235e941e311
SHA256 f3620cac68595b8a8495ab044f19a1c89012f50d2fe571b7a1721485f7ff2e43
SHA512 61b8ecd2d12b3f785773b98d4bf4af0eb6eb2c61fbea6effb77ec24b2127e888d0ea5fdd8cc298484e0f770d70c87907048fc382faace8e0ca6b49ab106c89f8

C:\Users\Admin\AppData\Local\Temp\_MEI45242\_cffi_backend.cp310-win_amd64.pyd

MD5 641e49ce0c4fa963d347fbf915aabdbe
SHA1 1351f6c4ac5dcda7e3ffbf3d5e355b4bb864eb10
SHA256 1c795df278c7f64be8e6973f8dbf1a625997cb39ae2dcb5bee0ca4c1b90c8906
SHA512 766b9adb5143e89d663177c2fb0e951afb84c0a43ec690ae2c477ee0bbe036df6f4161a6012430d42e4913fd5fbe7e49af6d13ac7c62d042a484861fc5a04616

C:\Users\Admin\AppData\Local\Temp\_MEI45242\_asyncio.pyd

MD5 7d4f9a2b793e021f7e37b8448751ed4e
SHA1 0ea07b5024501aad5008655cfeae6d96b5da957a
SHA256 2293c1b6b0b901832a57a1c4dcb1265c9e92d21177195712c30632a7b63227d4
SHA512 af75452279c308c61c3e222a031a8201e47e8fe44c4e92cb7dab03d56c7e7e3e2a2c589f650c50e0b29e2df175d6f2ff50c8e5e589d17a124bf0a2e0d7886c26

C:\Users\Admin\AppData\Local\Temp\_MEI45242\unicodedata.pyd

MD5 fed35db31377d515d198e5e446498be2
SHA1 62e388d17e17208ea0e881ccd96c75b7b1fbc5f7
SHA256 af3cdc9a2a1d923be67244429867a3c5c70835249e3573a03b98d08d148fe24b
SHA512 0985528cb0289086ec895e21a8947e04f732d5660460f2e7fa8668bd441c891438781c808bcea9294f348720e3752c10ea65363371f7e75ea48600d016bab72a

C:\Users\Admin\AppData\Local\Temp\_MEI45242\libcrypto-1_1.dll

MD5 86cfc84f8407ab1be6cc64a9702882ef
SHA1 86f3c502ed64df2a5e10b085103c2ffc9e3a4130
SHA256 11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307
SHA512 b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c

memory/1992-419-0x0000000006BE0000-0x0000000006CB0000-memory.dmp

memory/4632-418-0x00007FFD87F40000-0x00007FFD87FF8000-memory.dmp

memory/4632-417-0x00007FFD86B30000-0x00007FFD86EA5000-memory.dmp

memory/4632-423-0x00007FFD87F20000-0x00007FFD87F35000-memory.dmp

memory/4632-427-0x00007FFDA6790000-0x00007FFDA67A0000-memory.dmp

memory/4632-433-0x00007FFD9D320000-0x00007FFD9D32D000-memory.dmp

memory/1992-436-0x0000000008740000-0x00000000087F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI45242\yarl\_quoting_c.cp310-win_amd64.pyd

MD5 c14493cd3cc9b9b5f850b5fadcbe936e
SHA1 eddb260ff89bfa132a479fdf783c67098011fb85
SHA256 1782f3c12b3eb01716fcd59b0cd69c02c2fb888db4377f4d5fe00f07986be8e3
SHA512 0a7b85322b8fa566fb3d24b8e4021fb64433be06c3c4dbeb06d9633e4af0a5b76252fb2228de0abd818be5f4a18fffc712c727816632dd8c8585c9a9a7bf0fb6

memory/4632-442-0x00007FFD87220000-0x00007FFD87242000-memory.dmp

memory/1992-443-0x0000000006B90000-0x0000000006BAE000-memory.dmp

memory/4632-441-0x00007FFD86EB0000-0x00007FFD87021000-memory.dmp

memory/4632-440-0x00007FFD88030000-0x00007FFD8804F000-memory.dmp

memory/4632-437-0x00007FFD87250000-0x00007FFD87368000-memory.dmp

memory/1992-435-0x0000000006D70000-0x0000000006DE6000-memory.dmp

memory/4632-432-0x00007FFD8B5C0000-0x00007FFD8B5D9000-memory.dmp

memory/4632-431-0x00007FFD87370000-0x00007FFD87384000-memory.dmp

memory/4632-430-0x00007FFD87390000-0x00007FFD873A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI45242\multidict\_multidict.cp310-win_amd64.pyd

MD5 58a0ff76a0d7d3cd86ceb599d247c612
SHA1 af52bdb9556ef4b9d38cf0f0b9283494daa556a6
SHA256 2079d8be068f67fb2ece4fb3f5927c91c1c25edecb9d1c480829eb1cd21d7cc5
SHA512 e2d4f80cdeba2f5749a4d3de542e09866055d8aee1d308b96cb61bc53f4495c781e9b2559cc6a5f160be96b307539a8b6e06cabeffcc0ddb9ad4107dcacd8a76

memory/4632-426-0x00007FFD9CA40000-0x00007FFD9CA64000-memory.dmp

memory/4632-422-0x00007FFD873B0000-0x00007FFD8781E000-memory.dmp

memory/1992-420-0x0000000006CB0000-0x0000000006D6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI45242\libssl-1_1.dll

MD5 6cd33578bc5629930329ca3303f0fae1
SHA1 f2f8e3248a72f98d27f0cfa0010e32175a18487f
SHA256 4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0
SHA512 c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e

C:\Users\Admin\AppData\Local\Temp\_MEI45242\pyexpat.pyd

MD5 46331749084f98bcfe8631d74c5e038f
SHA1 5e5510f7a4d03f10d979e0d6a0d2a6f0e53ca347
SHA256 21cc4b9ccd69d08d7c1068b1f004ae9454f7ea0a322801860faf0e6f4a24a3df
SHA512 edd39ce2d927fb6700a86db07f4f56cab897ef91a320f3e5ecb542ea1be6888dd27a08008e5fa1df3765b0c82d1046a23c8d59e76d11f4e6449d4d6826879589

C:\Users\Admin\AppData\Local\Temp\_MEI45242\libffi-7.dll

MD5 d50ebf567149ead9d88933561cb87d09
SHA1 171df40e4187ebbfdf9aa1d76a33f769fb8a35ed
SHA256 6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af
SHA512 7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de

memory/4632-362-0x00007FFD9CA40000-0x00007FFD9CA64000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI45242\_ctypes.pyd

MD5 4b90108fabdd64577a84313c765a2946
SHA1 245f4628683a3e18bb6f0d1c88aa26fb959ed258
SHA256 e1b634628839a45ab08913463e07b6b6b7fd502396d768f43b21da2875b506a1
SHA512 91fa069d7cf61c57faad6355f6fd46d702576c4342460dadcedfdcbc07cd9d84486734f0561fa5e1e01668b384c3c07dd779b332f77d0bb6fbdbb8c0cb5091bc

C:\Users\Admin\AppData\Local\Temp\_MEI45242\python3.dll

MD5 c17b7a4b853827f538576f4c3521c653
SHA1 6115047d02fbbad4ff32afb4ebd439f5d529485a
SHA256 d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68
SHA512 8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

C:\Users\Admin\AppData\Local\Temp\_MEI45242\base_library.zip

MD5 f5b15ac0a24a122d69c41843da5d463b
SHA1 e25772476631d5b6dd278cb646b93abd282c34ed
SHA256 ec3b8c865c6e3c5e35449b32dcb397da665d6a10fbee61284489a6c420c72a3b
SHA512 1704611166d63962e14deb6d519c2a7af4f05bca308c1949652fddf89bc526c594ede43a34b9306e5979998576f448951d08ad9e25b6d749d5d46b7d18d133b8

memory/1992-453-0x0000000009050000-0x0000000009072000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI45242\aiohttp\_helpers.cp310-win_amd64.pyd

MD5 79dbf6677f21a17c9561eb008cc2a987
SHA1 096ef929cd31638cdc3ec18883495e5999efd263
SHA256 bd1638d83bcc69d9cadc1812d5db298f67d1e1b2831cc7783587c0ac7cf9b595
SHA512 2d9d8814f0d69b56a7ff1e9bb4207d00f9259113bc8f3e20211341cffeed117829ba9b80d8c0fb9b2da9fc68910a2be039b0fcf1c7bb0de23efee6644d17e164

C:\Users\Admin\AppData\Local\Temp\_MEI45242\aiohttp\_http_writer.cp310-win_amd64.pyd

MD5 878a426eb61ebecdba1016400e8fe60d
SHA1 7ae2f28199cde86ce2cc382d6a1b87b373940d95
SHA256 53fc5a5371a69ec8a700dea681654483c2be301f584d9393789cb5a134ba6aa8
SHA512 d1297868c9400530733538947603e0c73722600c11dc5ce0d7d8371939a7ac840ac0b574b42d9a9a407c3cfbdd938672f73e5da54aa8317eea4053e66fcd6475

memory/4632-458-0x00007FFD87200000-0x00007FFD87217000-memory.dmp

memory/4632-465-0x00007FFD87150000-0x00007FFD8716E000-memory.dmp

memory/1992-466-0x0000000009080000-0x00000000093D4000-memory.dmp

memory/4632-464-0x00007FFD87170000-0x00007FFD87181000-memory.dmp

memory/4632-463-0x00007FFD86B30000-0x00007FFD86EA5000-memory.dmp

memory/4632-467-0x00007FFD87F40000-0x00007FFD87FF8000-memory.dmp

memory/4632-462-0x00007FFD88000000-0x00007FFD8802E000-memory.dmp

memory/4632-461-0x00007FFD9C2B0000-0x00007FFD9C2BA000-memory.dmp

memory/4632-468-0x00007FFD85BA0000-0x00007FFD86295000-memory.dmp

memory/4632-460-0x00007FFD87190000-0x00007FFD871DC000-memory.dmp

memory/4632-459-0x00007FFD871E0000-0x00007FFD871F9000-memory.dmp

memory/4632-471-0x00007FFD87110000-0x00007FFD87148000-memory.dmp

memory/1992-470-0x0000000009A10000-0x0000000009FB4000-memory.dmp

memory/4632-469-0x00007FFD87F20000-0x00007FFD87F35000-memory.dmp

memory/1992-475-0x00000000064F0000-0x00000000064FC000-memory.dmp

memory/1992-479-0x0000000009750000-0x000000000987E000-memory.dmp

memory/1992-480-0x0000000009640000-0x0000000009648000-memory.dmp

memory/1992-481-0x0000000009680000-0x0000000009688000-memory.dmp

memory/1992-482-0x0000000009710000-0x0000000009748000-memory.dmp

memory/1992-483-0x0000000009690000-0x000000000969E000-memory.dmp

memory/1992-485-0x000000000B310000-0x000000000B44E000-memory.dmp

memory/1992-486-0x000000000B6A0000-0x000000000B8EC000-memory.dmp

memory/1992-488-0x0000000009880000-0x00000000098FC000-memory.dmp

memory/1992-491-0x000000000B620000-0x000000000B628000-memory.dmp

memory/4632-501-0x00007FFD87250000-0x00007FFD87368000-memory.dmp

memory/4632-506-0x00007FFD87220000-0x00007FFD87242000-memory.dmp

memory/4632-507-0x00007FFD87190000-0x00007FFD871DC000-memory.dmp

memory/4632-544-0x00007FFD87200000-0x00007FFD87217000-memory.dmp

memory/4632-545-0x00007FFDA2FF0000-0x00007FFDA2FFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ggbk43vu.kcu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1760-557-0x000001D9FBA30000-0x000001D9FBA52000-memory.dmp

memory/4632-562-0x00007FFD873B0000-0x00007FFD8781E000-memory.dmp

memory/4632-582-0x00007FFD87190000-0x00007FFD871DC000-memory.dmp

memory/4632-588-0x00007FFDA2FF0000-0x00007FFDA2FFD000-memory.dmp

memory/4632-587-0x00007FFD87110000-0x00007FFD87148000-memory.dmp

memory/4632-586-0x00007FFD85BA0000-0x00007FFD86295000-memory.dmp

memory/4632-581-0x00007FFD871E0000-0x00007FFD871F9000-memory.dmp

memory/4632-580-0x00007FFD87200000-0x00007FFD87217000-memory.dmp

memory/4632-579-0x00007FFD87220000-0x00007FFD87242000-memory.dmp

memory/4632-575-0x00007FFDA6790000-0x00007FFDA67A0000-memory.dmp

memory/4632-574-0x00007FFD87F20000-0x00007FFD87F35000-memory.dmp

memory/4632-570-0x00007FFD86EB0000-0x00007FFD87021000-memory.dmp

memory/4632-569-0x00007FFD88030000-0x00007FFD8804F000-memory.dmp

memory/4632-563-0x00007FFD9CA40000-0x00007FFD9CA64000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Configs\CoinbasePasswordSender.svb

MD5 2eb4c6fb0484927f98cbd6d3b7c4ab34
SHA1 dbc5434472a46e36764a161100e014b2d5499eae
SHA256 aa70a162e3af1a44ba9362dc78544a882826b5dddc19aaf3b870a7c4cc09a36a
SHA512 630c14a32e6d514abb8e047cae27f193d924e30878512c3c5b189aaaf8e64800e5255abc44850847c66de9cb4a1996eeff39031f6fe086cb8e66c424035192e0

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Configs\HMA VPN KEY AUTO GEN+CHECKER.svb

MD5 651aeaefbdff22ceb5d55e6b2d0df47b
SHA1 e0f7ab217d41f74dfae98f6055015dc9e21857e4
SHA256 702741eb3f42ab03c33a7dcf827468528b6b89efb19fe3c4e04c8d01be507a67
SHA512 ba09a9429968fb662b71d5f3a18bd217b6484741be62799e3583b1a526e436bc82308a89d0d9d638a3b4a9ed602306557ddabc93e305a3ba17bbae13193309c4

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Configs\Nexo Wallet.svb

MD5 e2d4a76bd03a2e1b977e236ff59c7c58
SHA1 7caa71389249082130180356cf521830120231ee
SHA256 e5d815920777354b78ce091c1bd6379d0977d7ef4ae2b4dc098473deb96829d9
SHA512 501fbd2f921914d1e9b026a3c5654324505472d061c629b982f07322bbd5acec219dc04bfaeff1acfe7ad6c10233103e7b4fc7aebc26fb9fb490d153a7540d11

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Configs\Pibridge Wallet.svb

MD5 ad0ce0ed022b9700b3b799306a012c52
SHA1 4a1adcbbedb45ea9da4783a054257379900ea253
SHA256 468ff3d2e427024a0223a41ffb229cc7b11e7ce6b9b52380d91bd79a2385992e
SHA512 34468532200caa165d34018840655319aa0654425672f065460e2943b5a8721bc8f63d055cb8e90ac3bb7b6940379e13b2fe88e643961a6957613df77514a6da

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Configs\RESTOCKS API (WALLET).svb

MD5 8bbded9f1d9b218251289b486b3a29c6
SHA1 e5ace282b24891fc4d79cda8d9013142a3c8befe
SHA256 841c4226b45c1f3aecb4aa099bde2d56959e3f20abfbc14bc9c4072e8db73438
SHA512 0872fb581ff7efc4d0b7e99da1ed20ec54074a5fc7138f8b1f8992ec9b28b344ba9f66391c8e951bd0fa81d5585cd2f0b194e1b44f7fd0434a90fe1d27ef73e9

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Configs\Trust Wallet API.svb

MD5 088bd79691133c358f83b50778ee39e7
SHA1 e361b2325b79cc2bb83520daa2bb36a7840eff05
SHA256 771f1d5e3c8710292a3b9cdbbc55c54b8b72a58e4efea4af2a63af17d8409cc3
SHA512 af4db0dd5d4b0a81c6232d2f8edaa9a8e403546ee69fac67974545c123829db2672073e4138f5d1bbaf06d9eefd32558ca8199db4bad223b096f1fe7e6247d1e

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Configs\VICTORIA SECRET BRUTER.svb

MD5 4470d00f3b5b0b498befc059072c1cba
SHA1 243e82c1ea0accdcffb38240dac83042a1b8c46b
SHA256 53f46bd63779c65746064d944443dcbc06969a2aa026b6f24a020cafe488fd8d
SHA512 bf9ba90953289afb27e6c4bd640732501f809c9114163167b4a44d28196a014262a881f00bfdecee8a6a1f48fc4f23cab310dc02a8f4f0ab558117468b6da65a

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Configs\Spotify_Account_Creator.svb

MD5 f88846f171ad71cda8d2955751c7cc20
SHA1 12fd09e22ff284b8d3f2eae8f5a1de94076b7316
SHA256 cb0b0402feffcda2e5e66eec58a3c5040e5bffecfb77528d6784962c31eaeb59
SHA512 23c8652dcba43b9898631406384f361e2a0ead41310a941059b7fe5dcfd9cc137e3c209c702a208da5767b74d669045de97989e4314ff59994abe75c8c891c92

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Configs\VICTORIA SECRET.svb

MD5 8a950a195ad16bb2393d594dbcc5d27d
SHA1 03c29afa6d04b4a0e7ed93656781622ef7b963bf
SHA256 250903667e2a2ec3d2282e7d73c710b792e2e022ef06469d4ebbf55157c56f5e
SHA512 65acb2500a17a56c24009d71a550ec99c3a0ad52ba8d9974c4f398968abd67c740c0a10e0501745bcccd7b87d23a7772af5237757b78cec72ac865659d495989

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Configs\wallet.pibridge.org.svb

MD5 ccb04af03377512ad96fd88c0c57752d
SHA1 5d80c6f33bdf94d06c03d8f45d35834fe35d0bc5
SHA256 1cbe6005dd81fae9c8d43b1a7ddd3aa09391e6b891dbf23a4628646576aa5635
SHA512 f4cfeae699a21b1da9426604c48191e0c3fc3a3289044fc48e800cf34485c06f8aae3bce33ab7b087cfae2d693745add907cfceddc2cdc2027cfe4067f072819

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\DB\OpenBullet-BackupCopy.db

MD5 624b3c53b63c7f2e80bda47c8fb51098
SHA1 cd6276cd2d6ad00041c7bb3b6e663af50f9cc584
SHA256 8261daa3e6b21588afa7456dade138ef4d4c085ecba4a3c0c3c2132e364fd306
SHA512 6be94a98cb8113fd1179b42109b4cdb8b24f54ffdeacf7727661f966906cc953fa574e20e123e700899a36fc172c34e3adafb303b30ae972f8801cd68c8b5b81

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\HideSearch.docx

MD5 97e4c63b78b3084d8d15b9609e8be79c
SHA1 e1b1c2a37f89742dcdaa276e1378794c6ec17355
SHA256 59eecf099d977e9110bab7e624fd6c722bc705766039583c0a5311d1e263c3ab
SHA512 3a1fc1f638013f70c08bc7f343465e3dd5678bd29b2ad60033961648b4ae207b51ac66207779d09aae15e3b3378e3d34a6687b9c61f8cf6f36285bb926635dfd

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\OutBackup.vsw

MD5 f4c7e40560ebaeb761923053da2a55d4
SHA1 fd3111b9a32fa947bf077e76aa3ae4e3d347450c
SHA256 e38436cb4b56d9e734125e6d153d03c0e966928bb042c4eadd7742642b6432ad
SHA512 aca0f04f193b8b4142de0318acd18c3fccad912da283cca052e971da0716350c18c7b8878b83f976db9492afde5f3fe6c1ea16cedd80e2f73775c1fe1a96a045

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\OutExit.jpg

MD5 6314da4582637c4c75f4af4ccf1519d4
SHA1 baf87f589e8d1fa0f809371a1afc529de076e88f
SHA256 81cb00afd176bb2ee5d8b22a3f123bc3c3d133b9619f2ece9238898dfa9687d1
SHA512 e23f39424e9ba264b6c65a58cee16fd13bce6714f97b5e09f0f88bc191c188a2eee2c53db0b2565fa277129eed6639e3a02b70215cbcf79b0c3d1a9e0a8f8057

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\StartShow.txt

MD5 0ab53ee53d5aa6b2744eabea8b4f1a71
SHA1 b9e21bbdf26d2cc1cf4c6ad494fa63b8b09aaf1b
SHA256 93aaecc62fc01001447f3916c1033d805631aff858d99e81a15902fa675d8915
SHA512 de330f1f1af7e23c456bb2840ace20ea1bf9df84a206032777c1859c80ee4af8f9a33dfd522bda74a82b43300cf7ccd851a6f7007e63fa83665479146c228605

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\RegisterReceive.docx

MD5 52c7cd9185f31e47a2e3b19f15845e32
SHA1 ef256b0d4815caaa96fcc584b580f79c6558bc1b
SHA256 9f8eefbcc905361b412c53933940643fdbae30de78f8dbba2cea054adf9fcf55
SHA512 7de743d56600d2f3abd9ec5a3d7bf1db2554289c1b9cc2eff7ee019d320a42611bb638837120077df1455b58bfbacdff749130ffa1ace8ba924363d1c794851e

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\PingConvertTo.docx

MD5 7e9649ebd5cbb9507dc8bef432f925ef
SHA1 ee66aaa5645964f02d01ad2ca6ce59ce681275bd
SHA256 ca1a28f5abec201171ee4e7853537e76de56bea49bbd058b16c2e4a229e63ab7
SHA512 29c1ea5dd91f156cd84d44d46ad43f9f613d89fb6b19a6cbe7453bba77ad6f91969abb53b06ca0824735f3ebcd21429b87bc9690222b3bc845477cf988e5fc75

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\EditRestore.csv

MD5 ae2557b137235a024c99db6f7209b9c3
SHA1 aa61217675fca34b6b8a0a4cd1d69b12cfb3cceb
SHA256 db2f9fa8ecec310dcf8bcd5a8e67cbdb582b6766e845a5ee3a3904fa760766ca
SHA512 bba35e818456424c3afabbccace5a2b9c4788a89423b3943a4d00094f4e3e16c813809b5fe267d6ef7b1b50bbbb977078e37de4879f86d0b978eb6609804ccc3

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\CloseDeny.xlsx

MD5 e66d36bb38d306cf86279569f272a158
SHA1 096c5e5d3af653264e88839dcb4e8dc43bd23cea
SHA256 c6efcee975f69f60039fb28d550592930ceba8e14d17539e2445ca60249451e2
SHA512 563ecfb442f583b795e3baa788c737d9d0b4a070824b1ba66d8573c1bf25877a467ab42e07c468ea840097200956f1fdc477b26e1779618c511671ac11653364

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\SubmitEdit.docx

MD5 3349cb13db51168f986cff4cfd328d64
SHA1 be4b022b7dc5f2b5dd0d86c336bafc1a111dce57
SHA256 b2dd500bf34b052c4a48cb40782e4dabfd987888fd81e2d736f34b37ca8fa57d
SHA512 5eb00c7a9b268ed114c180cecb12ac6377fbf8aa3b9c97cf8f37424db14c5690e2b9dfd05c60d1ae928e6ccc1050c66c47a0ef5669b511cd72df6cf8e19e5108

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\OutSave.docx

MD5 6911cb0f6b3c0b39072965d2f881d4a9
SHA1 0b49780273c7fb8b255b5c5a4b22e19cd02944f0
SHA256 73d83af84512d3d379757cf06d02fcde1e96b066c39418ef661348a1a00a7f2e
SHA512 de93642a2e0b1fb3ca14080fad91d088d5c8d1dde5c869835481140237e65e627903f8247692e102ab3e7cb54c3d7f8a4586a28c59ce4913f8f8a17131f3f509

memory/4632-787-0x00007FFD873B0000-0x00007FFD8781E000-memory.dmp

memory/4632-807-0x00007FFD87190000-0x00007FFD871DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\RestoreSearch.csv

MD5 83c3e91e0792648e59a7a2c044e910b3
SHA1 45bba9c756b11bce374d62017472d1ed37f4780a
SHA256 c7b5dbc0dcfb677b4b4a66dfee6744d7e5fde29028e780a718f70f116f8f3293
SHA512 27bde127ea53edcf4f140ea4793cc92154d1ccfae1e17340d8ba0a027a582e94f8f15cc12cd5f8c805ff8628d6679a7689920d8c9ef0976e3f4a84327c1071d5

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ResizeInitialize.docx

MD5 74f588760761ccf90da72be376f5152e
SHA1 38739716168958ac78bddda787cd3d41c715afbe
SHA256 f93799a73698f4ef027e4535ebda8578fbb0432aa57802f19c90c9a6008eed50
SHA512 bd30c21c33011fcce3892f4f3a75e03df46378eb035f3ebd32357e6a873a79bae4d8fb4776f54e6ef84c6c1096b86ea2fdea4d70c5688bbc21af434eb17aa91d

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\RemoveStart.xlsx

MD5 b78ffda1fa43aa28cb43d2c7edd0e00c
SHA1 15523f9738df57e70881e1ccd90d0f65b5ad3ab5
SHA256 d5a2b3d09725d9a0ace2715ec4245674712b96738cf913f2f8b03644e8aa17e0
SHA512 fd27864bbcf5aab62458501c4d64306d171e7bbd3bdfa080144f0ec6cbccf62bb8c910a7d0132ced3dd4d2e0cd9fcf10dfa9ab0a9b6110809898daebe1bc6222

memory/4632-806-0x00007FFD871E0000-0x00007FFD871F9000-memory.dmp

memory/4632-804-0x00007FFD87220000-0x00007FFD87242000-memory.dmp

memory/4632-799-0x00007FFD87F20000-0x00007FFD87F35000-memory.dmp

memory/4632-798-0x00007FFD87F40000-0x00007FFD87FF8000-memory.dmp

memory/4632-797-0x00007FFD86B30000-0x00007FFD86EA5000-memory.dmp

memory/4632-796-0x00007FFD88000000-0x00007FFD8802E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\CheckpointCopy.jpg

MD5 2452dd6a1c9f14c59afb61d0235a3c5d
SHA1 ec0ccee326934d977f3967235bc23cbcbc869116
SHA256 3cc93eab4941bf3376f9f273a1808863928c7952f7c3aa1f3701ec627230113d
SHA512 16e64128b3d00f6becfb643cf03b78e52662cbd966eabf1c43e1676f3a68a0773568f14750f3c6d2a41f894469a8d072fee52d10640e3de10650121167598dd0

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\RestoreSet.xlsx

MD5 65ea650bd755de9bece169f8dd06d663
SHA1 6d46b4892c76cd7f39a7aa8977bd8c3e2964326d
SHA256 9327a459d7246216c4f3e2317ca7975ce3f68b6532063d3a32c9ddfa71616d2a
SHA512 cc225a1249bc43341d940f574537a1a290c1c5fc9bdbfef433d8eb2d53bbd51bf5e60ad2731324fad12c6c4adae55690e806741b098879b08dacc0b116d4dce4

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ConvertFromCompare.xls

MD5 5178d6dca1e1d8a34e5a1677d03116b9
SHA1 0e1894940a13fae600b380fd89bbeaa133a29879
SHA256 cb18ce9858910f68e4ceea980e1c04a3ee33ee6d38d81ebdf75b86db1825b8bd
SHA512 2e9afff1474f5077050ec314d07b7ce8fccb181e04fb4138b60e091d9e820f1bdaca15c58f35f1f0f725031442e61a0acb87db9f95cef1b035de3fe7b0db2bc0

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\RemoveStep.jpg

MD5 64215b68e25fb8a0bebeb1d91e784b7a
SHA1 281152aa8884bfd91e9440627d58ce2435f6d560
SHA256 4eb3e9f84bf5eee0966c03dac16fb5f6ba52ebec9063a59a1b28ee73138e5823
SHA512 bda6d5712ac0bb3cc86a1f4c069a0aa61bb124f308f34bfaf5a947df790680ec635ae819fd3cd8bf4552833ef7e230d0ee51c14727fd16f27563bbd6a1919232

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\RevokeShow.jpeg

MD5 e6b2e64540c5408bf3914ad3a554edfa
SHA1 44f9d0d666c9826f6f6ee68cf0342dd74decbc49
SHA256 145b5c3cc83d942e4c78c6e6ac9472b7822b31b9d28ad3ad2286054c08417392
SHA512 35aaadedc9f33fc032a0c8d87b4cc965f1ce42c1dd0e1be9d5215f069318066e20cf3b70e929883a95e7979d5aecbf7009c1c8729eabfbc92ccff057c843ffe8

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\UnprotectGet.xls

MD5 577a4d20bf1117a5dc8220f26ea0a51b
SHA1 86824dbd6e0461fe3bfb80d6e2c9f6b5909ab50f
SHA256 626b8a1685c69b86feadfd054686d494a5ed0d714f88d63edb3c8f211a07a5ac
SHA512 d011f47924e480aa50a5b5a25becfbd889a3c321a88e9cefa12d215ac5b9464d58620113043b43de9cacfd7f1aa012152e15a021d1738ae5f9bc76527efc2dc0

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\MeasureProtect.jpg

MD5 82ada01a397e0b78e0e0bccc35476b8c
SHA1 4c6b57583e07caad4c22e3e5e78d75d9e00b7a09
SHA256 e24ed92e50254bf59919c3fcf25bf03cc0fc162878255891794df6cb58b15497
SHA512 c4ee8bd3e486b63d57dd038a58bf2cceed55f4bd4e25b6958f5a7630dbb19c0ed9e96fd72a1dc1459927fd3a141bdcc51d923d1663f0b8a89b53fdef44fb0bd1

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\ReadExport.xls

MD5 7b8f484f58bf0fa81c679c641843d3b8
SHA1 a639f54abf5536aa3c8accf86b90c2bdf9235518
SHA256 96425c8a5ebcdf1aa9331aafe9a566782a150eab0b12cdec543ddf52514df352
SHA512 381552a38dfd6a0baa1a28a72c013f491a34e96bea9432ba2ac6023b2d34a0ad7640d91305f4040e924102f1bbe98002d599e615a606e8c3f8f97ebc32183343

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\WatchResolve.xlsx

MD5 7fec23b722300cf16a31dec23fad915b
SHA1 8ca7e883121bcf6d81b013ebc2022d338fe8b584
SHA256 9eebfea4e68e4b61f197255fb9e3c25584a204cbf531695e213f62fcb2f0efc5
SHA512 4597a1ff0c9d3f8089956e32b5464114527572f4eebe6e8d86a63884372e5607279aece0073fecfd714715383a3c8f51ce6b87c18c692a6c89257d718f7f3c04

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\SkipUse.png

MD5 dc018c8a59c7b6f58f2f40fcd2fbc3b5
SHA1 be17b0ebca6d8c238645178809a501cb140ab1bc
SHA256 0ab6385d6c80962b8f68982a3f2839403aaaf660911d8a299aca6361afeb1d32
SHA512 e7ea043cfa9deb3352fee95c851f59f37f743c283e7690d205a4a498922c377fdf855588cfb8cb9fa2190ecc47c9178e74bb1bcd44aebb0b4b7a7386618251f7

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Wordlists\2985 HOTMAIL ACCESS.txt

MD5 19713b193e36fefc518a4e3eec994e7a
SHA1 a39b7d763b1ab5b9cdc47da758a66e359d4c2e5c
SHA256 e0eb80a9cae2f6229ca4bdbca60d500c1d8190f9a60089d8386cbdfbc8758448
SHA512 08b4c0df4b43259797b775dcc1621dc0b12868dfc60af3e62e83ed6adbb4df8e24c050f033ed47e8e2d918aaf61f2150124f092e03af282cb7dc5b94b171c189

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\SilverBullet.v1.1.4\SyntaxHelper.xml

MD5 0a7d014f0d24c2af38e867d859a369da
SHA1 a86612a2b200637c0d4b2e05447469ba2e48f080
SHA256 668234ca5e416fe08661762970823e7fc7ed263dfdc85ca0c7cd851301a39954
SHA512 b9da3ac84c19ce9611a7840bec4a9326576f06b20460d842be1dc1896099bf8f597618d1340d84b64226a1648ba9658fa0c704434236c85a35bfb919e7399002

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\SilverBullet.v1.1.4\Readme.txt

MD5 f9a3a6260575112c46525b40d763361d
SHA1 fc20fa1668ecfd1088c39154bc6baf5ff5f4c642
SHA256 5011eba80a1fc9b3a384ef8c8f3ae0d7bf5dff9c38de081997f6e5e13a8cfaa2
SHA512 8e5b479b4c54607bf3f4dca58654defc1472daff03a155fb2b912284cdd8973d3425a36243c4ad0e21af5f927451f3a992f60ed0088e66870562bb0d07443f15

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\SilverBullet.v1.1.4\Log.txt

MD5 4de9097d526b7b59bf10be4cf6606351
SHA1 564e0ef1cb1962e0825d395868bf754b3fb0ab97
SHA256 550d31e5be055d556299b10b02591a54f17a56a31709ae9652fb8db45e4a3f1a
SHA512 2e35d5f6c8e4f64ad5080850f37dc4b5008814d1c7e16b5bda20b3822a8726decba8a4ee297f382fd46851e46880902fef61264524bb903253fbaaa369e2656e

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Settings\Update.txt

MD5 68934a3e9455fa72420237eb05902327
SHA1 7cb6efb98ba5972a9b5090dc2e517fe14d12cb04
SHA256 fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa
SHA512 719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg

MD5 a51464e41d75b2aa2b00ca31ea2ce7eb
SHA1 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA256 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512 b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

memory/4632-873-0x00007FFD873B0000-0x00007FFD8781E000-memory.dmp

memory/4632-969-0x00007FFD873B0000-0x00007FFD8781E000-memory.dmp

memory/4632-985-0x00007FFD87250000-0x00007FFD87368000-memory.dmp

memory/4632-984-0x00007FFD87370000-0x00007FFD87384000-memory.dmp

memory/4632-983-0x00007FFD87390000-0x00007FFD873A4000-memory.dmp

memory/4632-982-0x00007FFDA6790000-0x00007FFDA67A0000-memory.dmp

memory/4632-981-0x00007FFD87F20000-0x00007FFD87F35000-memory.dmp

memory/4632-980-0x00007FFD87150000-0x00007FFD8716E000-memory.dmp

memory/4632-979-0x00007FFD87F40000-0x00007FFD87FF8000-memory.dmp

memory/4632-978-0x00007FFD88000000-0x00007FFD8802E000-memory.dmp

memory/4632-977-0x00007FFD86EB0000-0x00007FFD87021000-memory.dmp

memory/4632-976-0x00007FFD88030000-0x00007FFD8804F000-memory.dmp

memory/4632-975-0x00007FFD8B570000-0x00007FFD8B59D000-memory.dmp

memory/4632-974-0x00007FFD8B5A0000-0x00007FFD8B5B9000-memory.dmp

memory/4632-973-0x00007FFD9D320000-0x00007FFD9D32D000-memory.dmp

memory/4632-972-0x00007FFD8B5C0000-0x00007FFD8B5D9000-memory.dmp

memory/4632-971-0x00007FFDA1DF0000-0x00007FFDA1DFF000-memory.dmp

memory/4632-970-0x00007FFD9CA40000-0x00007FFD9CA64000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-16 17:54

Reported

2024-11-16 17:56

Platform

win11-20241007-en

Max time kernel

145s

Max time network

141s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/EF5CxB7Q#Ivrmu9gJBFm8mqpFHiacc3n75gtayXptVrTm4k8PbtY

Signatures

Browser Information Discovery

discovery

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1112 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 3648 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 568 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 1432 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 1432 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1112 wrote to memory of 1072 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/EF5CxB7Q#Ivrmu9gJBFm8mqpFHiacc3n75gtayXptVrTm4k8PbtY

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffda74f3cb8,0x7ffda74f3cc8,0x7ffda74f3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,11457705018241553996,13850757187141756302,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5144 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 mega.nz udp
US 8.8.8.8:53 mega.nz udp
LU 31.216.145.5:443 mega.nz tcp
LU 31.216.145.5:443 mega.nz tcp
LU 89.44.169.134:443 eu.static.mega.co.nz tcp
LU 89.44.169.134:443 eu.static.mega.co.nz tcp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.169.44.89.in-addr.arpa udp
LU 66.203.125.12:443 g.api.mega.co.nz tcp
LU 66.203.125.12:443 g.api.mega.co.nz tcp
LU 89.44.169.134:443 eu.static.mega.co.nz tcp
N/A 127.0.0.1:6341 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:6341 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a28bb0d36049e72d00393056dce10a26
SHA1 c753387b64cc15c0efc80084da393acdb4fc01d0
SHA256 684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1
SHA512 20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

\??\pipe\LOCAL\crashpad_1112_IOZJIABFXSVIKSYC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 554d6d27186fa7d6762d95dde7a17584
SHA1 93ea7b20b8fae384cf0be0d65e4295097112fdca
SHA256 2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb
SHA512 57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2b693f4aa796df2495764c0a203f9b95
SHA1 04d246dfe6cd2376c4c56996dac0d77d58fb6ff4
SHA256 c470d8443a62cd746f18a3dd0b2424b395cf7a31fe384d38e4b102e373c8dc0c
SHA512 f844cd17d7935350c0439d07d350df5d2a143787cb2a810b13e1e2f14bff6f70a2a678090ef342925678d757af14701837e036405c606d7092f615676a9dd09d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c8994e434ac56aaea0e78a106a52c490
SHA1 c8d0733e4ce819f71962adaa99b39e01fc8b7e7c
SHA256 de3f082e5b1549c4c727319a5a8a91baaec4222f06065cc4f34e6ecb601b3242
SHA512 2a962962f83013490b80139467a898a8e397b4536f64868d7eeb5e8ca80427b7b97055a5d7e59ea48ebed532038fbcabe2bb415e47222153e94bc0c828217a5e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 20cc3c465fef7d067bf0d7488305ce3b
SHA1 f7bee74ccf71d6ddf733cb7122d13b6efcd10668
SHA256 274a7b4a202c68494fee11d2aa78eee1d825ac0b761d70a69b8ef4916e48ad61
SHA512 0558f5a4fc839d3a38525bae9f95b2b243c52d3d4645be0ead0c11191f7d3c04b7ca67ccc1fd829bcd0e06f15240dbff61b9c7fdc6d72d9d3f70cece7961e0f4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 b1c009fc25769e1fa85ca695d1de4571
SHA1 7e4c86ba8c9cc25bcc13a7d48b80990ce11a21d0
SHA256 be8d50f643a574f2a33d52deec05b3360daf8382ab1e285e549e10b716b002c4
SHA512 47ca06d21d21e6ae31019ed9662b0e1dd0c541f8e774a1184e1d4b03c717d0d1dc95a10689ab76a36e6ab6b476a0f489f9351b02a3071c51d3f1ad2496d02a2a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58054a.TMP

MD5 fe3ba392ee6f269ec61e168cac21eb97
SHA1 b8d65a93e3bbdcdef393469b2100fa4b96ed04f5
SHA256 b351d45e0a7e846cf5c726db75d98547f12f01e30ac17bbabdaffd9735a23d95
SHA512 9f7e5a7b126807615a15ee88901dfe9f980c45f85de62b86ee51c201fb1ab5bf9b75742f037c1429f447f980b6b4df3518ea37aa08ecb264d7feff5623c54f5b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 f6b37f52e13a74f1a43cf5cb10f1f152
SHA1 a71c9c1bbe1f20fec4d88fd5e4e840dc09eac3a7
SHA256 8cc75c3d522c6c090e5a6d972e1a4bbdd723c481a7daaba0084560ffa610fd3e
SHA512 cbfc0d94a7fcb959ec38251bbebb46ac167cdcc988be75902b969edcec66c6ba9826b11b00830d40d2180df6d2727c04d8db3b28a8ef09d74a462f30642b7e11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 008114e1a1a614b35e8a7515da0f3783
SHA1 3c390d38126c7328a8d7e4a72d5848ac9f96549b
SHA256 7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18
SHA512 a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b